ComboFix 12-01-02.02 - JA 2012-01-03 2:10.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1250.48.1045.18.1015.696 [GMT 1:00] Uruchomiony z: c:\documents and settings\JA\Moje dokumenty\Pobieranie\ComboFix.exe AV: avast! antivirus 4.8.1229 [VPS 080912-1] *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D} AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6} . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Dane aplikacji\TEMP c:\documents and settings\JA\Dane aplikacji\pny\pnd.exe c:\documents and settings\JA\Ustawienia lokalne\Dane aplikacji\b52a7b6b\U\00000001.@ c:\documents and settings\JA\Ustawienia lokalne\Dane aplikacji\b52a7b6b\U\000000c0.@ c:\documents and settings\JA\Ustawienia lokalne\Dane aplikacji\b52a7b6b\U\000000cb.@ c:\documents and settings\JA\Ustawienia lokalne\Dane aplikacji\b52a7b6b\U\000000cf.@ c:\documents and settings\JA\Ustawienia lokalne\Dane aplikacji\b52a7b6b\U\80000000.@ c:\documents and settings\JA\Ustawienia lokalne\Dane aplikacji\b52a7b6b\U\800000c0.@ c:\documents and settings\JA\Ustawienia lokalne\Dane aplikacji\b52a7b6b\U\800000cb.@ c:\documents and settings\JA\Ustawienia lokalne\Dane aplikacji\b52a7b6b\U\800000cf.@ c:\documents and settings\JA\Ustawienia lokalne\Dane aplikacji\b52a7b6b\X c:\documents and settings\JA\WINDOWS c:\windows\$NtUninstallKB12734$\2531553079 c:\windows\$NtUninstallKB12734$\3039460203\@ c:\windows\$NtUninstallKB12734$\3039460203\L\qokiawmj c:\windows\$NtUninstallKB12734$\3039460203\loader.tlb c:\windows\$NtUninstallKB12734$\3039460203\U\@00000001 c:\windows\$NtUninstallKB12734$\3039460203\U\@000000c0 c:\windows\$NtUninstallKB12734$\3039460203\U\@000000cb c:\windows\$NtUninstallKB12734$\3039460203\U\@000000cf c:\windows\$NtUninstallKB12734$\3039460203\U\@80000000 c:\windows\$NtUninstallKB12734$\3039460203\U\@800000c0 c:\windows\$NtUninstallKB12734$\3039460203\U\@800000cb c:\windows\$NtUninstallKB12734$\3039460203\U\@800000cf c:\windows\assembly\GAC_MSIL\desktop.ini c:\windows\hpzr3209.dll c:\windows\iun6002.exe c:\windows\pkunzip.pif c:\windows\pkzip.pif c:\windows\system32\ c:\windows\system32\SET3A.tmp c:\windows\system32\SET3E.tmp c:\windows\system32\SET3F.tmp c:\windows\system32\SET46.tmp c:\windows\system32\SET8D.tmp c:\windows\system32\TZLog.log c:\windows\$NtUninstallKB12734$ . . . . nie udało się usunąć . Zainfekowana kopia c:\program files\Java\jre6\bin\jqs.exe została znaleziona. Problem naprawiono Plik odzyskano z - c:\system volume information\_restore{EE389E1D-D7D2-4DA7-AA8D-9F9023789570}\RP764\A0066647.exe . Zainfekowana kopia c:\windows\system32\HPZipm12.exe została znaleziona. Problem naprawiono Plik odzyskano z - c:\system volume information\_restore{EE389E1D-D7D2-4DA7-AA8D-9F9023789570}\RP764\A0066648.exe . Zainfekowana kopia c:\program files\PC Tools Security\pctsAuxs.exe została znaleziona. Problem naprawiono Plik odzyskano z - c:\program files\PC Tools Security\ . Zainfekowana kopia c:\program files\PC Tools Security\pctsSvc.exe została znaleziona. Problem naprawiono Plik odzyskano z - c:\system volume information\_restore{EE389E1D-D7D2-4DA7-AA8D-9F9023789570}\RP765\A0068757.exe . Zainfekowana kopia c:\windows\system32\HPZipm12.exe została znaleziona. Problem naprawiono Plik odzyskano z - c:\system volume information\_restore{EE389E1D-D7D2-4DA7-AA8D-9F9023789570}\RP764\A0066648.exe . ((((((((((((((((((((((((( Pliki utworzone od 2011-12-03 do 2012-01-03 ))))))))))))))))))))))))))))))) . . 2012-01-03 00:58 . 2012-01-03 00:59 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2012-01-03 00:58 . 2012-01-03 00:58 -------- d-----w- c:\documents and settings\JA\Dane aplikacji\Malwarebytes 2012-01-03 00:58 . 2012-01-03 00:58 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Malwarebytes 2012-01-03 00:58 . 2012-01-03 00:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-01-03 00:58 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-01-02 22:31 . 2012-01-02 22:31 -------- d-----w- c:\documents and settings\LocalService\Pulpit 2012-01-02 21:44 . 2010-07-16 13:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys 2012-01-02 21:44 . 2010-07-16 13:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys 2012-01-02 21:43 . 2011-01-17 08:10 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2012-01-02 21:43 . 2010-12-10 15:57 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2012-01-02 21:43 . 2010-12-10 12:24 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2012-01-02 21:43 . 2010-12-16 07:46 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2012-01-02 21:43 . 2012-01-03 01:19 -------- d-----w- c:\program files\PC Tools Security 2012-01-02 21:43 . 2012-01-02 21:52 -------- d-----w- c:\program files\Common Files\PC Tools 2012-01-02 21:43 . 2012-01-02 21:43 -------- d-----w- c:\documents and settings\JA\Dane aplikacji\PC Tools 2012-01-02 21:32 . 2012-01-02 21:43 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\PC Tools 2012-01-02 21:27 . 2012-01-02 21:27 -------- d-----w- c:\documents and settings\LocalService\Dane aplikacji\McAfee 2012-01-01 16:05 . 2012-01-03 01:17 -------- d-sh--w- c:\documents and settings\JA\Ustawienia lokalne\Dane aplikacji\b52a7b6b 2012-01-01 16:05 . 2012-01-03 01:17 -------- d-----w- c:\documents and settings\JA\Dane aplikacji\pny 2011-12-27 23:54 . 2011-12-27 23:54 -------- d-----w- c:\documents and settings\JA\Dane aplikacji\Fender 2011-12-27 23:43 . 2006-06-29 12:07 14048 ------w- c:\windows\system32\spmsg2.dll 2011-12-27 23:40 . 2011-12-27 23:43 -------- d-----w- c:\windows\system32\XPSViewer 2011-12-27 23:40 . 2011-12-27 23:40 -------- d-----w- c:\program files\MSBuild 2011-12-27 23:40 . 2011-12-27 23:40 -------- d-----w- c:\program files\Reference Assemblies 2011-12-27 23:39 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll 2011-12-27 23:39 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2011-12-27 23:39 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll 2011-12-27 23:39 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll 2011-12-27 23:39 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll 2011-12-27 23:39 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll 2011-12-27 23:39 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll 2011-12-27 23:39 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2011-12-27 23:39 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe 2011-12-27 23:38 . 2011-12-27 23:39 -------- d-----w- C:\51977bc67ed57aab9992 2011-12-27 23:18 . 2011-12-27 23:52 -------- d-----w- c:\program files\Fender 2011-12-27 18:20 . 2011-12-27 18:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-12-27 18:20 . 2011-12-27 18:20 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\McAfee 2011-12-14 20:45 . 2011-12-14 20:45 -------- d-----w- c:\program files\vShare.tv plugin 2011-12-09 08:26 . 2011-12-09 08:26 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll 2011-12-09 08:26 . 2011-12-09 08:26 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll 2011-12-09 08:26 . 2011-12-09 08:26 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll 2011-12-09 08:26 . 2011-12-09 08:26 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll 2011-12-09 08:26 . 2011-12-09 08:26 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll 2011-12-09 08:26 . 2011-12-09 08:26 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll 2011-12-09 08:26 . 2011-12-09 08:26 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll 2011-12-09 08:26 . 2011-12-09 08:26 1989592 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-11-23 14:40 . 2006-03-02 12:00 1859840 ----a-w- c:\windows\system32\win32k.sys 2011-11-01 16:07 . 2006-03-02 12:00 1288192 ----a-w- c:\windows\system32\ole32.dll 2011-10-31 23:37 . 2006-03-02 12:00 832512 ----a-w- c:\windows\system32\wininet.dll 2011-10-31 23:37 . 2006-03-02 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2011-10-31 23:37 . 2006-03-02 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl 2011-10-31 23:37 . 2006-03-02 12:00 17408 ------w- c:\windows\system32\corpol.dll 2011-10-28 05:32 . 2006-03-02 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2011-10-26 10:49 . 2006-03-02 12:00 2194048 ----a-w- c:\windows\system32\ntoskrnl.exe 2011-10-26 10:49 . 2004-08-04 00:38 2070656 ----a-w- c:\windows\system32\ntkrnlpa.exe 2011-10-18 11:13 . 2006-03-02 12:00 186880 ----a-w- c:\windows\system32\encdec.dll 2011-10-10 14:22 . 2007-06-21 11:07 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-12-09 08:26 . 2011-12-09 08:26 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-03-10 98394] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-03-10 688218] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008] "HPHUPD05"="c:\program files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152] "HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-08 491520] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 176128] "Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2006-10-17 398944] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] . c:\documents and settings\All Users\Menu Start\Programy\Autostart\ Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk - c:\program files\SAGEM WiFi manager\WLANUTL.exe [2007-6-26 925696] . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Metin2_PL\\metin2.bin"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Metin2_PL\\metin2client.bin"= "c:\\Program Files\\Common Files\\Java\\Java Update\\jaucheck.exe"= "c:\\Documents and Settings\\JA\\Moje dokumenty\\Pobieranie\\sdasetup_revwire207.exe"= "c:\\Program Files\\PC Tools Security\\Update.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= . R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2012-01-02 239168] R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-01-02 338880] R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2012-01-02 656320] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-05 78416] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-05 20560] R2 CommSBEP;CommSBEP;c:\windows\system32\drivers\COMMSBEP.sys [2008-10-20 24476] R3 SG762_XP;SAGEM 802.11g XG762 1211B Driver;c:\windows\system32\drivers\WlanBZXP.sys [2009-12-09 450560] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-01-03 40776] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2012-01-02 1150936] . Zawartość folderu 'Zaplanowane zadania' . 2012-01-01 c:\windows\Tasks\HP Usg Daily.job - c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2007-07-02 04:55] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://startsear.ch/?aff=1&cf=857c9458-2694-11e1-ba04-0060b38f6a3a uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mStart Page = hxxp://startsear.ch/?aff=1&cf=857c9458-2694-11e1-ba04-0060b38f6a3a uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll TCP: Interfaces\{7FBE0433-A926-48C0-84B1-D29FC0A8C0D2}: NameServer = 194.204.159.1,194.204.152.34 TCP: Interfaces\{B22B7354-E265-4263-B7BE-684F3CCA4976}: NameServer = 194.204.159.1,194.204.152.34 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\JA\Dane aplikacji\Mozilla\Firefox\Profiles\bu7sca0d.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.onet.pl/# FF - prefs.js: keyword.URL - hxxp://startsear.ch/?aff=1&src=sp&cf=857c9458-2694-11e1-ba04-0060b38f6a3a&q= . - - - - USUNIĘTO PUSTE WPISY - - - - . HKCU-Run-Microsoft PnD - c:\documents and settings\JA\Dane aplikacji\pny\pnd.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-01-03 02:24 Windows 5.1.2600 Dodatek Service Pack 3 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'explorer.exe'(3360) c:\windows\system32\WININET.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\wbem\wmiapsrv.exe c:\windows\system32\HPZipm12.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Czas ukończenia: 2012-01-03 02:28:30 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2012-01-03 01:28 . Przed: 91 825 262 592 bajtów wolnych Po: 94 710 910 976 bajtów wolnych . WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect . - - End Of File - - AC120C4CB24BD83357E6BD177C9A4FCC