ComboFix 12-02-29.01 - kkk 2012-03-01 8:14.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.1023.607 [GMT 1:00] Uruchomiony z: c:\documents and settings\kkk\Pulpit\ComboFix.exe.exe AV: Avira AntiVir PersonalEdition *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !! . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Dane aplikacji\Microsoft\corecon\1.0\1033\NonSDKAddonLangVer.dll c:\documents and settings\All Users\Dane aplikacji\Microsoft\corecon\1.0\1033\SDKAddonLangVer.dll c:\documents and settings\All Users\Dane aplikacji\Microsoft\corecon\1.0\addons\NonSDKAddonVer.dll c:\documents and settings\All Users\Dane aplikacji\Microsoft\corecon\1.0\addons\SDKAddonVer.dll c:\documents and settings\All Users\Dane aplikacji\Microsoft\corecon\1.0\SDKFilesVer.dll c:\documents and settings\All Users\grafdcom.exe c:\documents and settings\kkk\Dane aplikacji\wizcomp.exe c:\documents and settings\kkk\Menu Start\Programy\AntiSpywareXP2009 c:\documents and settings\kkk\Menu Start\Programy\AntiSpywareXP2009\AntiSpywareXP2009.lnk c:\documents and settings\kkk\Menu Start\Programy\AntiSpywareXP2009\Uninstall.lnk c:\documents and settings\kkk\Menu Start\WinPC Defender.LNK c:\documents and settings\kkk\Ustawienia lokalne\Dane aplikacji\4c307e15\U c:\documents and settings\kkk\Ustawienia lokalne\Dane aplikacji\4c307e15\U\00000001.@ c:\documents and settings\kkk\Ustawienia lokalne\Dane aplikacji\4c307e15\U\000000c0.@ c:\documents and settings\kkk\Ustawienia lokalne\Dane aplikacji\4c307e15\U\000000cb.@ c:\documents and settings\kkk\Ustawienia lokalne\Dane aplikacji\4c307e15\U\000000cf.@ c:\documents and settings\kkk\Ustawienia lokalne\Dane aplikacji\4c307e15\U\800000c0.@ c:\documents and settings\kkk\Ustawienia lokalne\Dane aplikacji\4c307e15\U\800000cb.@ c:\documents and settings\kkk\Ustawienia lokalne\Dane aplikacji\4c307e15\U\800000cf.@ c:\documents and settings\kkk\Ustawienia lokalne\Dane aplikacji\ekys.exe c:\documents and settings\kkk\WINDOWS c:\program files\Common Files\enuge.dl c:\windows\$NtUninstallKB52698$ c:\windows\$NtUninstallKB52698$\1278246421\@ c:\windows\$NtUninstallKB52698$\1278246421\L\mbovchei c:\windows\$NtUninstallKB52698$\1278246421\loader.tlb c:\windows\$NtUninstallKB52698$\1278246421\U\@00000001 c:\windows\$NtUninstallKB52698$\1278246421\U\@000000c0 c:\windows\$NtUninstallKB52698$\1278246421\U\@000000cb c:\windows\$NtUninstallKB52698$\1278246421\U\@000000cf c:\windows\$NtUninstallKB52698$\1278246421\U\@80000000 c:\windows\$NtUninstallKB52698$\1278246421\U\@800000c0 c:\windows\$NtUninstallKB52698$\1278246421\U\@800000cb c:\windows\$NtUninstallKB52698$\1278246421\U\@800000cf c:\windows\$NtUninstallKB52698$\1616973551 c:\windows\IsUn0415.exe c:\windows\system32\CddbCdda.dll c:\windows\system32\dds_log_trash.cmd c:\windows\system32\html c:\windows\system32\html\calendar.html c:\windows\system32\html\calendarbottom.html c:\windows\system32\html\calendartop.html c:\windows\system32\html\crystalexportdialog.htm c:\windows\system32\html\crystalprinthost.html c:\windows\system32\images c:\windows\system32\images\toolbar\calendar.gif c:\windows\system32\images\toolbar\crlogo.gif c:\windows\system32\images\toolbar\export.gif c:\windows\system32\images\toolbar\export_over.gif c:\windows\system32\images\toolbar\exportd.gif c:\windows\system32\images\toolbar\First.gif c:\windows\system32\images\toolbar\first_over.gif c:\windows\system32\images\toolbar\Firstd.gif c:\windows\system32\images\toolbar\gotopage.gif c:\windows\system32\images\toolbar\gotopage_over.gif c:\windows\system32\images\toolbar\gotopaged.gif c:\windows\system32\images\toolbar\grouptree.gif c:\windows\system32\images\toolbar\grouptree_over.gif c:\windows\system32\images\toolbar\grouptreed.gif c:\windows\system32\images\toolbar\grouptreepressed.gif c:\windows\system32\images\toolbar\Last.gif c:\windows\system32\images\toolbar\last_over.gif c:\windows\system32\images\toolbar\Lastd.gif c:\windows\system32\images\toolbar\Next.gif c:\windows\system32\images\toolbar\next_over.gif c:\windows\system32\images\toolbar\Nextd.gif c:\windows\system32\images\toolbar\Prev.gif c:\windows\system32\images\toolbar\prev_over.gif c:\windows\system32\images\toolbar\Prevd.gif c:\windows\system32\images\toolbar\print.gif c:\windows\system32\images\toolbar\print_over.gif c:\windows\system32\images\toolbar\printd.gif c:\windows\system32\images\toolbar\Refresh.gif c:\windows\system32\images\toolbar\refresh_over.gif c:\windows\system32\images\toolbar\refreshd.gif c:\windows\system32\images\toolbar\Search.gif c:\windows\system32\images\toolbar\search_over.gif c:\windows\system32\images\toolbar\searchd.gif c:\windows\system32\images\toolbar\up.gif c:\windows\system32\images\toolbar\up_over.gif c:\windows\system32\images\toolbar\upd.gif c:\windows\system32\images\tree\begindots.gif c:\windows\system32\images\tree\beginminus.gif c:\windows\system32\images\tree\beginplus.gif c:\windows\system32\images\tree\blank.gif c:\windows\system32\images\tree\blankdots.gif c:\windows\system32\images\tree\dots.gif c:\windows\system32\images\tree\lastdots.gif c:\windows\system32\images\tree\lastminus.gif c:\windows\system32\images\tree\lastplus.gif c:\windows\system32\images\tree\Magnify.gif c:\windows\system32\images\tree\minus.gif c:\windows\system32\images\tree\minusbox.gif c:\windows\system32\images\tree\plus.gif c:\windows\system32\images\tree\plusbox.gif c:\windows\system32\images\tree\singleminus.gif c:\windows\system32\images\tree\singleplus.gif c:\windows\system32\kservice.dll c:\windows\system32\mindrepair.dll c:\windows\system32\SET39.tmp c:\windows\system32\SET45.tmp c:\windows\system32\wini101956.exe . Zainfekowana kopia c:\windows\system32\drivers\afd.sys została znaleziona. Problem naprawiono Plik odzyskano z - The cat found it :) . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_dsbrokerservice -------\Service_dsbrokerservice . . ((((((((((((((((((((((((( Pliki utworzone od 2012-02-01 do 2012-03-01 ))))))))))))))))))))))))))))))) . . 2012-03-01 07:09 . 2008-08-14 10:34 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys 2012-03-01 07:09 . 2008-08-14 10:34 138496 ----a-w- c:\windows\system32\drivers\afd.sys 2012-03-01 06:59 . 2012-03-01 07:00 -------- d-----w- c:\documents and settings\Administrator.III-59924FC4392.001 2012-02-28 00:06 . 2012-02-28 00:06 -------- d-----r- c:\documents and settings\LocalService\Ulubione 2012-02-27 23:04 . 2012-03-01 07:22 -------- d-sh--w- c:\documents and settings\kkk\Ustawienia lokalne\Dane aplikacji\4c307e15 . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2060-08-18 18:02 . 2010-11-07 01:05 2023424 ------w- c:\windows\system32\VCL50.BPL 2060-08-18 18:02 . 2010-11-07 01:05 1496064 ------w- c:\windows\system32\CC3250MT.DLL 2060-08-18 18:02 . 2010-11-07 01:05 248832 ------w- c:\windows\system32\VCLX50.BPL 2060-08-18 17:40 . 2010-11-07 01:05 909824 ------w- c:\windows\system32\CP3245MT.DLL 2060-08-18 17:40 . 2010-11-07 01:05 24064 ------w- c:\windows\system32\BORLNDMM.DLL 2011-03-17 19:14 . 2011-03-17 19:13 15517808 ----a-w- c:\program files\iplasetup.exe 2008-10-27 17:27 . 2008-10-27 17:27 11475 ----a-w- c:\program files\Common Files\ydizajev.bin . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-08-17 23120680] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-21 68856] "Gadu-Gadu"="c:\documents and settings\kkk\Pulpit\grzegorz\Gadu-Gadu\gg.exe" [2006-11-10 1853128] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-18 843776] "JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-06-02 385024] "OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 98304] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "PCSuiteTrayApplication"="f:\program files\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 222208] "TweakMASTER"="c:\program files\TweakMASTER\TwMaster.exe" [2002-12-04 1746944] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560] "nwiz"="nwiz.exe" [2006-06-01 1519616] "NvMediaCenter"="NvMCTray.dll" [2006-06-01 86016] "DAEMON Tools"="f:\program files\deamon tools\DAEMON Tools\daemon.exe" [2006-11-12 157592] "WireLessKeyboard"="c:\program files\Office Keyboard Driver\StartAutorun.exe" [2005-11-30 94208] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-19 266497] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "iTunesHelper"="f:\program files\Quick Time Player\iTunesHelper.exe" [2009-01-06 290088] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360] "PcSync"="f:\program files\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304] . c:\documents and settings\kkk\Menu Start\Programy\Autostart\ Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-5-29 385024] . c:\documents and settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "f:\\Program Files\\Insane\\Game.exe"= "c:\\Program Files\\eMule\\emule.exe"= "c:\\Documents and Settings\\kkk\\Pulpit\\grzegorz\\Gadu-Gadu\\gg.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "f:\\Program Files\\Pacific Warriors\\Pacific Warriors.exe"= "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"= "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "f:\\Program Files\\Quick Time Player\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Ipla\\ipla.exe"= "c:\\Program Files\\Windows Media Player\\wmplayer.exe"= "c:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\avnotify.exe"= . R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2007-01-15 639224] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-05-07 136176] S3 gupdatem;Usługa Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-05-07 136176] S3 SER120;OTI Serial port driver;c:\windows\system32\drivers\ser120.sys [2006-12-11 32910] . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs dnserver32 spkrmon tosrfcom fssfltr ma_cmidi_installerservice SI3112 ELmon symsecureport WinHttpAutoProxySvc emu10k ahcix86s w200obex sqlagent$sony_mediamgr SWNC8U20 hpzid412 TMBMServer EhttpSrv pdlnepkt dsbrokerservice mcpromgr vsdatant TUWinStylerThemeSvc qbposdbextservices ood2000 PQNTDrv portio U81xmdfl dot4 QWAVEDRV EMCFILT automate6 DniVad dcpflics sysdown Packet . Zawartość folderu 'Zaplanowane zadania' . 2012-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-05-07 02:17] . 2012-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-05-07 02:17] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.de/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Download with &Media Finder - c:\program files\Media Finder\hook.html IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 195.140.236.250 195.140.238.250 195.140.236.251 TCP: Interfaces\{CAD0A338-128F-4279-97AA-133E2E8688F1}: NameServer = 8.8.8.8 TCP: Interfaces\{D002C1DA-1703-4E07-AA33-1427AD7CBBEE}: NameServer = 8.8.8.8,208.67.220.220 FF - ProfilePath - c:\documents and settings\kkk\Dane aplikacji\Mozilla\Firefox\Profiles\mac6zit5.default\ FF - prefs.js: browser.startup.homepage - www.google.de FF - prefs.js: network.proxy.type - 4 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Firefox Synchronisation Extension: fe_3.6@nokia.com - c:\program files\Nokia\Nokia Suite\Connectors\Bookmarks Connector\FirefoxExtension_3.6 FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} . - - - - USUNIĘTO PUSTE WPISY - - - - . HKCU-Run-brastk - c:\windows\system32\brastk.exe HKCU-Run-sysav - c:\documents and settings\kkk\Dane aplikacji\pcdefender.exe HKCU-Run-Media Finder - c:\program files\Media Finder\MF.exe HKCU-Run-grafdcom - c:\documents and settings\All Users\grafdcom.exe HKCU-Run-wizcomp - c:\documents and settings\kkk\Dane aplikacji\wizcomp.exe HKLM-Run-AntiSpywareXP 2009 - c:\program files\AntiSpywareXP2009\AntiSpywareXP2009.exe HKLM-Run-ORAHSSSessionManager - c:\program files\Livebox\SessionManager\SessionManager.exe HKLM-Run-grafdcom - c:\documents and settings\All Users\grafdcom.exe HKLM-Run-wizcomp - c:\documents and settings\kkk\Dane aplikacji\wizcomp.exe AddRemove-Adobe Acrobat 5.0 - c:\windows\ISUN0415.EXE AddRemove-Matura_testy_2007 - c:\documents and settings\kkk\Pulpit\grzegorz\Matura_testy_2007\uninst.exe AddRemove-Polish Your English - intro - c:\windows\IsUn0415.exe AddRemove-Skoki narciarskie 2003: Polski orzeł - c:\progra~1\SKOKIN~1\UNWISE.EXE . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-03-01 08:28 Windows 5.1.2600 Dodatek Service Pack 2 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'explorer.exe'(2320) c:\windows\system32\WININET.dll c:\documents and settings\kkk\Pulpit\grzegorz\Gadu-Gadu\ggwhook.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll f:\program files\Nokia PC Suite 6\PhoneBrowser.dll f:\program files\Nokia PC Suite 6\PCSCM.dll c:\program files\PC Connectivity Solution\ConnAPI.DLL f:\program files\Nokia PC Suite 6\Lang\PhoneBrowser_pol.nlr f:\program files\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\ATKKBService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe c:\windows\system32\nvsvc32.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\windows\system32\wbem\wmiapsrv.exe c:\windows\system32\RunDLL32.exe c:\program files\Office Keyboard Driver\PS2USBKbdDrv.exe c:\program files\PC Connectivity Solution\ServiceLayer.exe c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Skype\Plugin Manager\skypePM.exe . ************************************************************************** . Czas ukończenia: 2012-03-01 08:35:53 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2012-03-01 07:35 . Przed: 12 443 750 400 bajtów wolnych Po: 15 215 452 160 bajtów wolnych . - - End Of File - - 468166D0DE92D270DA211C79E4A7B325