ComboFix 10-10-05.06 - master_mix 2010-10-06 20:51:59.4.1 - x86 Microsoft Windows XP Professional 5.1.2600.4.1250.48.1045.18.1023.657 [GMT 2:00] Uruchomiony z: c:\documents and settings\master_mix\Pulpit\ComboFix.exe AV: avast! antivirus 4.8.1296 [VPS 081201-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\autorun.inf c:\documents and settings\master_mix\Menu Start\Programy\Autostart\ctfmon.exe c:\windows\system\update.exe c:\windows\system32\sknc.dll D:\Autorun.inf Zainfekowana kopia c:\windows\system32\ws2_32.dll została znaleziona. Problem naprawiono Plik odzyskano z - c:\windows\ERDNT\cache\ws2_32.dll . ((((((((((((((((((((((((( Pliki utworzone od 2010-09-06 do 2010-10-06 ))))))))))))))))))))))))))))))) . 2010-10-01 18:18 . 2010-10-01 18:18 70656 ----a-w- c:\windows\system32\winfuq32.dll . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-06 18:30 . 2010-03-18 22:17 -------- d-----w- c:\documents and settings\master_mix\Dane aplikacji\ipla 2010-10-06 17:52 . 2010-03-26 21:53 -------- d-----w- c:\program files\Oberon Media 2010-10-06 17:47 . 2008-11-24 07:07 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-09-25 22:11 . 2008-12-29 17:04 -------- d-----w- c:\program files\Google 2010-09-09 20:02 . 2008-11-24 10:41 -------- d-----w- c:\program files\Opera 2010-09-06 07:52 . 2010-03-18 22:16 -------- d-----w- c:\program files\ipla 2010-09-06 07:52 . 2010-03-18 22:17 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\ipla 2010-09-01 17:46 . 2010-09-01 17:46 -------- d-----w- c:\program files\Microsoft Silverlight 2010-07-14 15:46 . 2001-10-26 14:15 95908 ----a-w- c:\windows\system32\perfc015.dat 2010-07-14 15:46 . 2001-10-26 14:15 515354 ----a-w- c:\windows\system32\perfh015.dat 2010-07-14 15:27 . 2010-07-14 15:27 12212040 ----a-w- c:\documents and settings\All Users\Dane aplikacji\NokiaInstallerCache\ProductCache\{D5878294-C113-43c5-A24F-FC333C52015A}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe 2010-07-14 15:27 . 2010-07-14 15:27 13930312 ----a-w- c:\documents and settings\All Users\Dane aplikacji\NokiaInstallerCache\ProductCache\{D5878294-C113-43c5-A24F-FC333C52015A}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe 2010-07-14 15:27 . 2010-07-14 15:27 38912 ----a-w- c:\documents and settings\All Users\Dane aplikacji\NokiaInstallerCache\ProductCache\{D5878294-C113-43c5-A24F-FC333C52015A}\Installer\CommonCustomActions\WMF11Runx86.exe 2010-07-14 15:27 . 2010-07-14 15:27 38912 ----a-w- c:\documents and settings\All Users\Dane aplikacji\NokiaInstallerCache\ProductCache\{D5878294-C113-43c5-A24F-FC333C52015A}\Installer\CommonCustomActions\WMF11Runx64.exe 2010-07-14 15:27 . 2010-07-14 15:27 77824 ----a-w- c:\documents and settings\All Users\Dane aplikacji\NokiaInstallerCache\ProductCache\{D5878294-C113-43c5-A24F-FC333C52015A}\Installer\CommonCustomActions\Run_XML6_SP1.exe 2010-07-14 15:27 . 2010-07-14 15:27 50000 ----a-w- c:\documents and settings\All Users\Dane aplikacji\NokiaInstallerCache\ProductCache\{D5878294-C113-43c5-A24F-FC333C52015A}\Installer\CommonCustomActions\pcswpc.exe 2010-07-14 14:25 . 2010-07-14 15:27 103412296 ----a-w- c:\documents and settings\All Users\Dane aplikacji\NokiaInstallerCache\ProductCache\{D5878294-C113-43c5-A24F-FC333C52015A}\Installer.exe 2010-03-30 20:37 . 2010-04-01 21:11 27136 ----a-w- c:\program files\Zeszyt1.xls 2010-05-28 21:24 . 2009-06-10 21:47 56 --sh--r- c:\windows\system32\B3391C7A4E.sys 2010-06-03 16:46 . 2009-06-10 21:47 848 --sha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{038cb5c7-48ea-4af9-94e0-a1646542e62b}"= "c:\program files\ToggleEN\tbTog1.dll" [2009-12-12 2166296] [HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{038cb5c7-48ea-4af9-94e0-a1646542e62b}"= "c:\program files\ToggleEN\tbTog1.dll" [2009-12-12 2166296] [HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{038CB5C7-48EA-4AF9-94E0-A1646542E62B}"= "c:\program files\ToggleEN\tbTog1.dll" [2009-12-12 2166296] [HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2010-07-02 671608] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544] c:\documents and settings\master_mix\Menu Start\Programy\Autostart\ spoolsvcs.exe [2010-5-28 505174] wnr232.exe [2010-5-24 396288] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winfuq32] 2010-10-01 18:18 70656 ----a-w- c:\windows\system32\winfuq32.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Kalendarz XP.lnk] backup=c:\windows\pss\Kalendarz XP.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^master_mix^Menu Start^Programy^Autostart^ctfmon.exe] path=c:\documents and settings\master_mix\Menu Start\Programy\Autostart\ctfmon.exe backup=c:\windows\pss\ctfmon.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^master_mix^Menu Start^Programy^Autostart^spoolsvcs.exe] path=c:\documents and settings\master_mix\Menu Start\Programy\Autostart\spoolsvcs.exe backup=c:\windows\pss\spoolsvcs.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^master_mix^Menu Start^Programy^Autostart^wnr232.exe] path=c:\documents and settings\master_mix\Menu Start\Programy\Autostart\wnr232.exe backup=c:\windows\pss\wnr232.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service] 2007-08-30 08:44 148760 ----a-w- c:\program files\Common Files\Maxtor\Schedule2\schedhlp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange] 2008-10-29 02:11 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!] 2008-11-26 17:18 81000 ----a-w- d:\narzed~1\ALWILS~1\Avast4\ashDisp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] 2007-08-03 11:51 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] 2008-12-10 09:02 216520 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] 2007-08-04 09:29 1056552 ----a-w- d:\narzedzia\Nero 8\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection] 2001-11-29 00:00 28672 ----a-w- c:\program files\Creative\SBLive\Program\ADGJDet.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan] 2007-08-08 08:25 1828136 ----a-w- d:\narzedzia\Nero 8\Nero BackItUp\NBKeyScan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2007-03-01 14:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Odkurzacz-MCD] 2009-12-20 14:09 349184 ----a-w- d:\narzedzia\Odkurzacz\odk_mcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-09-06 14:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc] 2007-08-04 09:30 2043688 ----a-w- d:\narzedzia\Nero 8\InCD\NBHGui.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] 2008-08-29 15:11 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2008-08-03 23:02 36352 ----a-w- d:\narzedzia\Winamp\winampa.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "d:\\Narzedzia\\Gadu-Gadu\\gg.exe"= "c:\\Program Files\\Opera\\opera.exe"= "d:\\Narzedzia\\totalcmd\\TOTALCMD.EXE"= "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "d:\\Internet\\eMule\\emule.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\WINDOWS\\system32\\winver.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-24 111184] R1 SSHDRV76;SSHDRV76;c:\windows\system32\drivers\SSHDRV76.sys [2009-07-01 53760] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-24 20560] R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2008-11-24 33792] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-11 135664] S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-11-24 27904] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2008-11-24 691696] . Zawartość folderu 'Zaplanowane zadania' 2008-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2010-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-11 15:02] 2010-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-11 15:02] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.ask.com?o=14978&l=dis uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Funkcja Google Sidewiki - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html . - - - - USUNIĘTO PUSTE WPISY - - - - Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) SafeBoot-WudfPf SafeBoot-WudfRd MSConfigStartUp-DAEMON Tools Pro Agent - d:\narzedzia\DAEMON Tools Pro\DTProAgent.exe MSConfigStartUp-LogMeIn Hamachi Ui - d:\gry\hamachi\hamachi-2-ui.exe MSConfigStartUp-SearchSettings - c:\program files\pdfforge Toolbar\SearchSettings.exe MSConfigStartUp-Windows Updates - c:\windows\system\Update.exe . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_USERS\S-1-5-21-2025429265-562591055-839522115-1003\Software\SecuROM\License information*] "datasecu"=hex:b9,67,4f,d8,63,53,f5,7b,64,65,3a,2a,fc,95,5b,bc,83,9b,68,6c,23, c1,58,f9,d9,22,5d,cc,aa,18,2d,8e,2d,29,31,3f,83,69,18,6b,25,e0,16,7e,39,8d,\ "rkeysecu"=hex:75,e7,d4,31,dc,0c,95,9b,d5,b5,22,a4,f2,fa,be,cf . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > 'winlogon.exe'(632) c:\windows\system32\Ati2evxx.dll c:\windows\system32\winfuq32.dll - - - - - - - > 'explorer.exe'(2584) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe d:\narzedzia\DiskeeperLite\DKService.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\wscntfy.exe c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe c:\program files\PC Connectivity Solution\ServiceLayer.exe c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe c:\program files\Common Files\Nokia\NoA\nokiaaserver.exe c:\windows\system32\devldr32.exe . ************************************************************************** . Czas ukończenia: 2010-10-06 21:09:16 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2010-10-06 19:09 ComboFix2.txt 2008-12-02 19:05 Przed: 7 315 836 928 bajtów wolnych Po: 7 304 568 832 bajtów wolnych WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5 - - End Of File - - 926EF710D3098796A59F1E0AF2A8BDB4