ComboFix 12-02-16.02 - Maciek 2012-02-17 14:58:13.1.2 - x86 Uruchomiony z: c:\documents and settings\Maciek\Pulpit\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Dane aplikacji\TEMP c:\documents and settings\Maciek\Dane aplikacji\edxLabs c:\documents and settings\Maciek\Dane aplikacji\edxLabs\edxSilkroadLoader\edxSilkroadLoader.ini c:\documents and settings\Maciek\Dane aplikacji\WinService.dll c:\documents and settings\Maciek\Dane aplikacji\winservice.exe c:\documents and settings\Maciek\l6krac7plz.exe c:\documents and settings\Maciek\Ustawienia lokalne\Dane aplikacji\f9111136\U c:\documents and settings\Maciek\Ustawienia lokalne\Dane aplikacji\f9111136\U\00000001.@ c:\documents and settings\Maciek\Ustawienia lokalne\Dane aplikacji\f9111136\U\000000c0.@ c:\documents and settings\Maciek\Ustawienia lokalne\Dane aplikacji\f9111136\U\000000cb.@ c:\documents and settings\Maciek\Ustawienia lokalne\Dane aplikacji\f9111136\U\000000cf.@ c:\documents and settings\Maciek\Ustawienia lokalne\Dane aplikacji\f9111136\U\80000000.@ c:\documents and settings\Maciek\Ustawienia lokalne\Dane aplikacji\f9111136\U\800000c0.@ c:\documents and settings\Maciek\Ustawienia lokalne\Dane aplikacji\f9111136\U\800000cb.@ c:\documents and settings\Maciek\Ustawienia lokalne\Dane aplikacji\f9111136\U\800000cf.@ c:\documents and settings\Maciek\Ustawienia lokalne\Dane aplikacji\f9111136\X c:\program files\Common Files\logonInit.dll c:\windows\$NtUninstallKB6104$ c:\windows\$NtUninstallKB6104$\413125946 c:\windows\$NtUninstallKB6104$\4178645302\@ c:\windows\$NtUninstallKB6104$\4178645302\L\rhjrauyj c:\windows\$NtUninstallKB6104$\4178645302\loader.tlb c:\windows\$NtUninstallKB6104$\4178645302\U\@00000001 c:\windows\$NtUninstallKB6104$\4178645302\U\@000000c0 c:\windows\$NtUninstallKB6104$\4178645302\U\@000000cb c:\windows\$NtUninstallKB6104$\4178645302\U\@000000cf c:\windows\$NtUninstallKB6104$\4178645302\U\@80000000 c:\windows\$NtUninstallKB6104$\4178645302\U\@800000c0 c:\windows\$NtUninstallKB6104$\4178645302\U\@800000cb c:\windows\$NtUninstallKB6104$\4178645302\U\@800000cf c:\windows\msmqinst.log c:\windows\system32\cpqalert.dll c:\windows\system32\dds_log_trash.cmd . Zainfekowana kopia c:\windows\system32\drivers\ipsec.sys została znaleziona. Problem naprawiono Plik odzyskano z - The cat found it :) . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_iap -------\Service_iap . . ((((((((((((((((((((((((( Pliki utworzone od 2012-01-17 do 2012-02-17 ))))))))))))))))))))))))))))))) . . 2012-02-17 00:30 . 2012-02-17 00:30 -------- d-----r- c:\documents and settings\LocalService\Ulubione 2012-02-16 17:50 . 2012-02-16 17:50 -------- d-sh--w- c:\documents and settings\Maciek\PrivacIE 2012-02-16 10:37 . 2012-02-17 14:01 -------- d-sh--w- c:\documents and settings\Maciek\Ustawienia lokalne\Dane aplikacji\f9111136 2012-02-16 09:27 . 2012-02-16 09:27 -------- d-----w- c:\program files\Common Files\Skype 2012-02-16 09:27 . 2012-02-16 09:27 -------- d-----w- c:\program files\Common Files\Overwolf 2012-02-16 09:26 . 2012-02-16 09:26 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2012-02-15 02:35 . 2012-02-15 02:35 -------- d-sh--w- c:\documents and settings\Maciek\IETldCache 2012-02-15 02:18 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll 2012-02-15 02:17 . 2011-12-17 19:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2012-02-15 02:17 . 2011-12-17 19:41 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll 2012-02-15 02:17 . 2011-12-17 19:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll 2012-02-15 02:17 . 2011-12-17 19:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2012-02-15 02:17 . 2011-12-17 19:41 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll 2012-02-15 02:17 . 2011-12-18 13:41 11082240 -c----w- c:\windows\system32\dllcache\ieframe.dll 2012-02-15 02:17 . 2011-12-17 19:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll 2012-02-15 02:15 . 2012-02-15 02:16 -------- dc-h--w- c:\windows\ie8 2012-02-14 23:21 . 2012-01-11 19:07 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll 2012-02-14 23:21 . 2012-01-11 19:07 3072 ------w- c:\windows\system32\iacenc.dll 2012-02-11 21:03 . 2012-02-11 21:03 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Overwolf 2012-02-07 20:18 . 2009-03-18 15:35 26176 ---ha-w- c:\windows\system32\hamachi.sys 2012-02-07 19:02 . 2012-02-07 19:02 421200 ----a-w- c:\windows\system32\msvcp100.dll 2012-02-05 03:01 . 2012-02-05 03:01 -------- d-----w- c:\program files\SystemRequirementsLab 2012-02-05 03:01 . 2012-02-05 03:01 -------- d-----w- c:\documents and settings\Maciek\SystemRequirementsLab 2012-01-31 00:22 . 2007-03-05 11:42 15128 ----a-w- c:\windows\system32\x3daudio1_1.dll 2012-01-31 00:22 . 2006-12-08 11:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll 2012-01-31 00:22 . 2006-11-29 12:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll 2012-01-31 00:22 . 2006-09-28 15:05 237848 ----a-w- c:\windows\system32\xactengine2_4.dll 2012-01-22 20:29 . 2012-02-16 09:27 -------- d-----w- c:\program files\Overwolf 2012-01-22 20:27 . 2012-02-17 13:53 -------- d-----w- c:\documents and settings\Maciek\Ustawienia lokalne\Dane aplikacji\Overwolf . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-01-18 13:46 . 2012-01-03 17:19 21840 ----atw- c:\windows\system32\SIntfNT.dll 2012-01-18 13:46 . 2012-01-03 17:19 17212 ----atw- c:\windows\system32\SIntf32.dll 2012-01-18 13:46 . 2012-01-03 17:19 12067 ----atw- c:\windows\system32\SIntf16.dll 2012-01-12 17:20 . 2008-04-15 12:00 1860224 ----a-w- c:\windows\system32\win32k.sys 2012-01-11 13:40 . 2012-01-11 13:40 249856 ------w- c:\windows\Setup1.exe 2012-01-11 13:40 . 2012-01-11 13:40 73216 ----a-w- c:\windows\ST6UNST.EXE 2011-12-29 19:19 . 2011-12-29 19:19 768848 ----a-w- c:\windows\system32\msvcr100.dll 2011-12-17 19:41 . 2008-04-15 12:00 916992 ----a-w- c:\windows\system32\wininet.dll 2011-12-17 19:41 . 2008-04-15 12:00 43520 ------w- c:\windows\system32\licmgr10.dll 2011-12-17 19:41 . 2008-04-15 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-12-16 12:23 . 2008-04-15 12:00 385024 ------w- c:\windows\system32\html.iec 2011-12-15 18:41 . 2011-11-21 14:03 328 ----a-w- c:\program files\Common Files\userInit.dll 2011-11-25 21:57 . 2008-04-15 12:00 293888 ----a-w- c:\windows\system32\winsrv.dll 2011-11-20 06:12 . 2008-04-15 12:00 61440 ----a-w- c:\windows\system32\packager.exe 2012-01-02 21:01 . 2011-09-09 17:01 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF925EF3-7A87-44E4-9CAF-8D7B280BF616}] 2011-02-09 18:29 400384 ----a-w- d:\programy\ALLPlayer\Iplex\IplexToALLPlayer.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PC Suite Tray"="d:\programy\Nokia\Nokia PC Suite 7\PCSuite.exe" [2011-06-16 1500160] "ALLUpdate"="d:\programy\ALLPlayer\ALLUpdate.exe" [2011-08-16 1379840] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304] "PCSpeedUp"="c:\program files\Przyspiesz Komputer\PCSpeedUp.lnk" [2011-11-18 2013] "Overwolf"="c:\program files\Overwolf\Overwolf.exe" [2012-02-07 41400] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848] "nwiz"="nwiz.exe" [2006-08-11 1519616] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016] "RTHDCPL"="RTHDCPL.EXE" [2007-05-10 16342528] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] "LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-08-12 205336] "Adobe Reader Speed Launcher"="d:\programy\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "LogMeIn Hamachi Ui"="d:\programy\Hamachi\hamachi-2-ui.exe" [2012-02-07 1987976] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360] . c:\documents and settings\All Users\Menu Start\Programy\Autostart\ GamersFirst LIVE!.lnk - c:\program files\GamersFirst\LIVE!\Live.exe [2011-8-15 2589808] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "d:\\Programy\\Gadu-Gadu 10\\gg.exe"= "d:\\Gry\\Symulator Farmy 2011\\FarmingSimulator2011.exe"= "d:\\Gry\\Symulator Farmy 2011\\game.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= "c:\\Program Files\\Overwolf\\Overwolf.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "57898:TCP"= 57898:TCP:Pando Media Booster "57898:UDP"= 57898:UDP:Pando Media Booster . R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-10-01 21992] R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;d:\programy\Hamachi\hamachi-2.exe -s --> d:\programy\Hamachi\hamachi-2.exe -s [?] S1 38696;l6krac7plz.exe;\??\c:\windows\system32\drivers\38696.sys --> c:\windows\system32\drivers\38696.sys [?] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] S2 gupdate;Usługa Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-12-26 136176] S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?] S3 gupdatem;Usługa Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-12-26 136176] S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2011-09-13 137600] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 OverwolfUpdaterService;Overwolf Updater Service;c:\program files\Overwolf\OverwolfUpdater.exe [2012-01-22 17848] S3 SetupNTGLM7X;SetupNTGLM7X;\??\f:\ntglm7x.sys --> f:\NTGLM7X.sys [?] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504] S4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?] . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs iap . Zawartość folderu 'Zaplanowane zadania' . 2012-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-12-26 12:50] . 2012-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-12-26 12:50] . 2012-02-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-790525478-682003330-1003Core.job - c:\documents and settings\Maciek\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2011-10-21 14:46] . 2012-02-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-790525478-682003330-1003UA.job - c:\documents and settings\Maciek\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2011-10-21 14:46] . 2012-01-22 c:\windows\Tasks\RunOW.job - c:\program files\Overwolf\OverwolfLauncher.exe [2012-02-07 19:02] . 2012-02-17 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2011-09-27 20:18] . . ------- Skan uzupełniający ------- . TCP: DhcpNameServer = 217.172.224.160 80.244.140.241 89.228.6.43 FF - ProfilePath - c:\documents and settings\Maciek\Dane aplikacji\Mozilla\Firefox\Profiles\qrw0rbtt.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/ FF - prefs.js: keyword.URL - hxxp://www.browsersafesearch.com?client=mozilla-firefox&cd=UTF-8&search=1&q= FF - prefs.js: network.proxy.type - 0 FF - user.js: browser.search.selectedEngine - Search the web FF - user.js: browser.search.order.1 - Search the web FF - user.js: browser.search.defaultenginename - Search the web FF - user.js: keyword.URL - hxxp://www.browsersafesearch.com?client=mozilla-firefox&cd=UTF-8&search=1&q= FF - user.js: privacy.item.cookies - false FF - user.js: privacy.sanitize.promptOnSanitize - false . - - - - USUNIĘTO PUSTE WPISY - - - - . HKCU-Run-vmreg - c:\documents and settings\Maciek\Dane aplikacji\vmreg.exe HKCU-Run-l6krac7plz - c:\documents and settings\Maciek\l6krac7plz.exe HKLM-Run-UnlockerAssistant - d:\programy\Unlocker\UnlockerAssistant.exe AddRemove-toolplugin - c:\docume~1\Maciek\USTAWI~1\Temp\WZSE0.TMP\setup.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-02-17 15:04 Windows 5.1.2600 Dodatek Service Pack 3 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'explorer.exe'(1744) c:\windows\system32\WININET.dll c:\program files\Overwolf\OWExplorer-10513.dll c:\windows\system32\webcheck.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\RUNDLL32.EXE c:\windows\RTHDCPL.EXE c:\windows\ATKKBService.exe d:\programy\Hamachi\hamachi-2.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\wdfmgr.exe c:\program files\Pando Networks\Media Booster\PMB.exe c:\windows\system32\wscntfy.exe c:\program files\PC Connectivity Solution\ServiceLayer.exe c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe . ************************************************************************** . Czas ukończenia: 2012-02-17 15:06:45 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2012-02-17 14:06 . Przed: 9 765 859 328 bajtów wolnych Po: 10 129 514 496 bajtów wolnych . WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer . - - End Of File - - 31EBAE9CC98AA9E875C978989EB5F121