ComboFix 12-02-23.01 - Admin 2012-02-26 19:04:55.2.2 - x86 Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1250.48.1045.18.2037.1073 [GMT 1:00] Uruchomiony z: c:\users\Admin\Desktop\Nowy folder\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\$NtUninstallKB29254$\4142695594\@ c:\windows\$NtUninstallKB29254$\4142695594\cfg.ini c:\windows\$NtUninstallKB29254$\4142695594\Desktop.ini c:\windows\$NtUninstallKB29254$\4142695594\L\ogejidap c:\windows\$NtUninstallKB29254$\4240405281 c:\windows\$NtUninstallKB29254$ . . . . nie udało się usunąć . Zainfekowana kopia c:\windows\system32\drivers\i8042prt.sys została znaleziona. Problem naprawiono Plik odzyskano z - The cat found it :) c:\windows\system32\drivers\afd.sys - brakowało pliku Plik odzyskano z - c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys . c:\windows\system32\drivers\netbt.sys - brakowało pliku Plik odzyskano z - c:\windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys . c:\windows\system32\drivers\tdx.sys - brakowało pliku Plik odzyskano z - c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys . . ((((((((((((((((((((((((( Pliki utworzone od 2012-01-26 do 2012-02-26 ))))))))))))))))))))))))))))))) . . 2012-02-26 18:13 . 2012-02-26 18:15 -------- d-----w- c:\users\Admin\AppData\Local\temp 2012-02-26 18:13 . 2012-02-26 18:13 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp 2012-02-26 18:13 . 2012-02-26 18:13 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-02-26 18:13 . 2008-01-19 05:55 71680 ----a-w- c:\windows\system32\drivers\tdx.sys 2012-02-26 18:13 . 2008-01-19 05:55 184320 ----a-w- c:\windows\system32\drivers\netbt.sys 2012-02-26 18:13 . 2011-04-21 13:28 273920 ----a-w- c:\windows\system32\drivers\afd.sys 2012-02-25 16:51 . 2012-02-25 16:56 -------- d-----w- C:\FRST 2012-02-25 06:34 . 2009-04-11 04:39 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys 2012-02-24 17:57 . 2010-04-27 14:19 1214976 ----a-w- c:\windows\system32\drivers\athr.sys 2012-02-24 09:23 . 2010-03-25 09:08 105984 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys 2012-02-24 09:23 . 2010-03-20 11:06 11136 ----a-w- c:\windows\system32\drivers\ew_usbenumfilter.sys 2012-02-24 09:23 . 2010-03-20 10:56 101504 ----a-w- c:\windows\system32\drivers\ewusbdev.sys 2012-02-24 09:23 . 2010-03-20 09:28 116736 ----a-w- c:\windows\system32\drivers\ewusbnet.sys 2012-02-24 09:23 . 2010-03-17 13:33 861696 ----a-w- c:\windows\system32\drivers\mod7700.sys 2012-02-24 09:23 . 2007-08-09 03:06 23424 ----a-w- c:\windows\system32\drivers\ewdcsc.sys 2012-02-24 09:22 . 2012-02-24 09:23 -------- d-----w- c:\program files\PLAY ONLINE 2012-02-23 17:36 . 2012-02-23 17:36 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe 2012-02-20 16:22 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr 2012-02-20 16:22 . 2012-02-23 15:48 -------- d-----w- c:\program files\AVAST Software 2012-02-20 16:22 . 2012-02-20 16:22 -------- d-----w- c:\programdata\AVAST Software 2012-02-16 14:36 . 2011-12-14 16:17 680448 ----a-w- c:\windows\system32\msvcrt.dll 2012-02-16 14:36 . 2012-01-12 19:52 2044416 ----a-w- c:\windows\system32\win32k.sys 2012-01-28 21:34 . 2012-01-28 21:34 -------- d-----w- c:\programdata\PC Tools 2012-01-28 21:34 . 2012-01-28 21:34 -------- d-----w- c:\users\Admin\AppData\Roaming\Product_RM . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 19673736] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="RtHDVCpl.exe" [2007-09-03 4702208] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "SSDMonitor"="c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2010-08-05 104408] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 166424] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 133656] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar] 2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender] 2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4116904073-3438038410-1597625619-1000] "EnableNotificationsRef"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . Zawartość folderu 'Zaplanowane zadania' . 2012-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 17:33] . 2012-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 17:33] . 2012-02-26 c:\windows\Tasks\RMSchedule.job - c:\program files\Registry Mechanic\RegMech.exe [2010-12-29 07:46] . 2011-05-09 c:\windows\Tasks\User_Feed_Synchronization-{0388C9A5-8FE7-4F90-8023-F34E10850BFA}.job - c:\windows\system32\msfeedssync.exe [2011-05-27 23:23] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://onet.pl/ IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 85.219.212.253 85.219.244.253 DPF: {F6D13A55-3261-4E6F-8BCC-AB18FF8291BC} - hxxp://www.delight3d.com/delight3d_1.4.cab FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dnjmd72n.default\ FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-02-26 19:15 Windows 6.0.6002 Service Pack 2 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'Explorer.exe'(3692) c:\windows\system32\igfxsrvc.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\agrsmsvc.exe c:\windows\system32\conime.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\TeamViewer\Version5\TeamViewer_Service.exe c:\program files\TeamViewer\Version5\TeamViewer.exe c:\windows\RtHDVCpl.exe c:\windows\system32\igfxsrvc.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\\?\c:\windows\system32\wbem\WMIADAP.EXE c:\windows\system32\wbem\unsecapp.exe c:\windows\system32\DllHost.exe . ************************************************************************** . Czas ukończenia: 2012-02-26 19:21:37 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2012-02-26 18:21 ComboFix2.txt 2012-02-25 06:55 . Przed: 2 832 556 032 bajtów wolnych Po: 2 725 806 080 bajtów wolnych . - - End Of File - - D0115776866CD3B019DBFBADA4849DCF