ComboFix 10-09-27.05 - Admin 2010-09-29 1:49.1.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.48.1045.18.3230.2055 [GMT 2:00] Uruchomiony z: c:\users\Admin\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22} SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9} SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\KBL.LOG . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_usnjsvc ((((((((((((((((((((((((( Pliki utworzone od 2010-08-28 do 2010-09-29 ))))))))))))))))))))))))))))))) . 2010-09-29 00:00 . 2010-09-29 00:06 -------- d-----w- c:\users\Admin\AppData\Local\temp 2010-09-29 00:00 . 2010-09-29 00:00 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-09-28 22:12 . 2010-09-28 22:12 -------- dc----w- c:\windows\system32\DRVSTORE 2010-09-28 22:12 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-09-28 22:07 . 2010-09-28 22:07 -------- dc-h--w- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864} 2010-09-28 22:07 . 2010-09-28 22:12 -------- d-----w- c:\programdata\Lavasoft 2010-09-28 22:07 . 2010-09-28 22:07 -------- d-----w- c:\program files\Lavasoft 2010-09-28 21:24 . 2010-09-28 21:25 -------- d-----w- c:\users\Admin\AppData\Roaming\Tibia 2010-09-25 20:11 . 2010-09-25 20:11 -------- d-----w- c:\program files\Ventrilo Mix 1.0 2010-09-23 11:46 . 2010-09-28 20:05 -------- d-----w- c:\program files\Asprate 2010-09-15 05:36 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll 2010-09-15 05:36 . 2010-08-17 14:11 128000 ----a-w- c:\windows\system32\spoolsv.exe 2010-09-15 05:36 . 2010-04-05 17:02 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL 2010-09-15 05:36 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll 2010-09-11 17:02 . 2010-09-11 17:02 -------- d-----w- c:\users\Admin\AppData\Roaming\Media Player Classic 2010-09-05 13:50 . 2005-05-26 13:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll 2010-09-02 11:20 . 2010-09-28 20:27 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-09-02 11:20 . 2010-09-02 11:55 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2010-09-01 15:28 . 2010-09-01 22:09 -------- d-----w- c:\users\Admin\AppData\Roaming\Tibiacast 2010-09-01 15:05 . 2010-09-23 21:05 -------- d-----w- c:\program files\Tibiacast . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-29 00:05 . 2009-07-18 07:40 -------- d-----w- c:\program files\Steam 2010-09-29 00:02 . 2007-12-26 02:24 3204 ----a-w- c:\windows\bthservsdp.dat 2010-09-28 19:27 . 2009-07-15 15:08 27335 ----a-w- c:\users\Admin\AppData\Roaming\nvModes.dat 2010-09-28 18:25 . 2009-07-16 07:50 1 ----a-w- c:\users\Admin\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-09-27 16:55 . 2010-02-17 18:59 -------- d-----w- c:\users\Admin\AppData\Roaming\Winamp 2010-09-25 20:07 . 2010-07-09 07:05 -------- d-----w- c:\users\Admin\AppData\Roaming\Gadu-Gadu 10 2010-09-25 12:32 . 2010-02-17 16:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2010-09-19 15:33 . 2010-07-14 17:56 -------- d-----w- c:\users\Admin\AppData\Roaming\Mumble 2010-09-18 06:40 . 2009-07-18 07:40 -------- d-----w- c:\program files\Common Files\Steam 2010-09-16 01:56 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail 2010-09-16 01:03 . 2010-04-20 11:32 -------- d-----w- c:\programdata\Microsoft Help 2010-09-03 19:49 . 2007-11-22 11:23 662056 ----a-w- c:\windows\system32\perfh015.dat 2010-09-03 19:49 . 2007-11-22 11:23 126908 ----a-w- c:\windows\system32\perfc015.dat 2010-09-02 10:03 . 2010-03-04 11:32 -------- d-----w- c:\program files\Microsoft Silverlight 2010-08-25 23:41 . 2009-10-28 18:04 -------- d-----w- c:\program files\Ganymede 2010-08-25 23:40 . 2007-12-26 02:40 -------- d-----w- c:\program files\HP 2010-08-25 23:40 . 2007-11-22 02:45 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-08-13 07:40 . 2009-07-15 11:15 -------- d-----w- c:\program files\Microsoft Works 2010-08-02 12:42 . 2010-07-09 07:04 -------- d-----w- c:\program files\Gadu-Gadu 10 2010-07-30 12:39 . 2010-07-14 18:04 25256 ----a-w- c:\users\Admin\AppData\Roaming\Mumble\Plugins\gmod.dll 2010-07-30 12:39 . 2010-07-14 18:04 25256 ----a-w- c:\users\Admin\AppData\Roaming\Mumble\Plugins\css.dll 2010-07-30 12:39 . 2010-07-14 18:04 25256 ----a-w- c:\users\Admin\AppData\Roaming\Mumble\Plugins\dods.dll 2010-07-30 12:39 . 2010-07-14 18:04 25256 ----a-w- c:\users\Admin\AppData\Roaming\Mumble\Plugins\tf2.dll 2010-07-30 12:39 . 2010-07-14 18:04 21160 ----a-w- c:\users\Admin\AppData\Roaming\Mumble\Plugins\l4d2.dll 2010-07-30 12:39 . 2010-07-14 18:04 21160 ----a-w- c:\users\Admin\AppData\Roaming\Mumble\Plugins\bfbc2.dll 2010-07-30 12:39 . 2010-07-14 18:04 21160 ----a-w- c:\users\Admin\AppData\Roaming\Mumble\Plugins\bf2.dll 2010-07-30 12:39 . 2010-07-14 18:04 21160 ----a-w- c:\users\Admin\AppData\Roaming\Mumble\Plugins\arma2.dll 2010-07-25 16:18 . 2009-07-19 06:05 680 ----a-w- c:\users\Admin\AppData\Local\d3d9caps.dat 2010-07-15 02:08 . 2009-07-15 11:17 74984 ----a-w- c:\users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT 2010-07-07 08:46 . 2010-07-07 08:46 393216 ----a-w- c:\programdata\Gadu-Gadu 10\_userdata\ggbho.3.dll 2010-07-01 13:46 . 2010-03-20 17:47 426 ----a-w- c:\users\Admin\AppData\Roaming\wklnhst.dat 2008-01-14 16:17 . 2009-07-15 11:59 22 --sha-w- c:\windows\SMINST\HPCD.SYS . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="c:\program files\steam\steam.exe" [2010-08-24 1242448] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] "MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352] "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968] "Gadu-Gadu 10"="c:\program files\Gadu-Gadu 10\gg.exe" [2010-07-21 12477024] "BitComet"="c:\program files\BitComet\BitComet.exe" [2009-07-31 2674488] "ALLUpdate"="c:\program files\ALLPlayer\ALLUpdate.exe" [2009-06-04 869888] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-18 1008184] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888] "WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296] "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496] "SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032] "OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320] "NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256] "InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152] "DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2007-09-20 671744] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-5 727592] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\System32\avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli DPPWDFLT [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiSpywareOverride"=dword:00000001 R3 ESLvnic1;ESLvnic Virtual Network 32 Bit;c:\windows\system32\DRIVERS\ESLvnic.sys [2010-04-06 24504] R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-04-02 691696] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-07-03 64160] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-22 335240] S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-15 108552] S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-08-22 908056] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-22 297752] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-09-28 1029456] S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368] S3 BTHprint;Klasa drukarki Microsoft Bluetooth;c:\windows\system32\DRIVERS\bthprint.sys [2009-04-11 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs REG_MULTI_SZ BthServ LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2007-08-23 15:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . Zawartość folderu 'Zaplanowane zadania' 2010-09-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 22:32] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.pl/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=pl_pl&c=81&bd=Pavilion&pf=laptop IE: Pobierz wszystkie VIdeo za pomocą BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm IE: Pobierz wszystko za pomocą BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm IE: Pobierz za pomocą BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm IE: Wyślij obraz do urządzenia &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Wyślij stronę do urządzenia &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm . - - - - USUNIĘTO PUSTE WPISY - - - - WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-09-29 02:04 Windows 6.0.6002 Service Pack 2 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > 'lsass.exe'(696) c:\windows\system32\DPPWDFLT.dll - - - - - - - > 'Explorer.exe'(5168) c:\program files\DigitalPersona\Bin\DpoFeedb.dll c:\windows\system32\btmmhook.dll c:\windows\system32\btncopy.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\WLANExt.exe c:\program files\DigitalPersona\Bin\DpHostW.exe c:\program files\Nero\Nero 7\InCD\InCDsrv.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\CyberLink\Shared Files\RichVideo.exe c:\windows\system32\DRIVERS\xaudio.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\windows\servicing\TrustedInstaller.exe c:\windows\system32\wbem\unsecapp.exe c:\windows\system32\conime.exe c:\windows\System32\rundll32.exe c:\windows\System32\rundll32.exe c:\program files\AVG\AVG8\avgtray.exe c:\program files\Synaptics\SynTP\SynTPEnh.exe c:\program files\Hewlett-Packard\Shared\HpqToaster.exe c:\windows\system32\wbem\unsecapp.exe c:\program files\OpenOffice.org 3\program\soffice.exe c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe c:\program files\OpenOffice.org 3\program\soffice.bin c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe c:\program files\Common Files\Steam\SteamService.exe c:\program files\Windows Media Player\wmpnetwk.exe . ************************************************************************** . Czas ukończenia: 2010-09-29 02:15:39 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2010-09-29 00:15 Przed: 145 448 116 224 bajtów wolnych Po: 145 089 040 384 bajtów wolnych - - End Of File - - E2A19AB0D233A25CD67331F3DC3B6490