ComboFix 12-07-16.01 - Admin 2012-07-18 9:29.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.1407.837 [GMT 2:00] Uruchomiony z: c:\documents and settings\Admin\Moje dokumenty\Pobieranie\ComboFix.exe AV: AVG Internet Security 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: AVG Internet Security 2012 *Enabled* {17DDD097-36FF-435F-9E1B-52D74245D6BF} * Utworzono nowy punkt przywracania . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\msmqinst.log c:\windows\TEMP\MPENGINE.DLL . . ((((((((((((((((((((((((( Pliki utworzone od 2012-06-18 do 2012-07-18 ))))))))))))))))))))))))))))))) . . 2012-07-18 07:18 . 2012-07-18 07:18 -------- d-----w- C:\_OTL 2012-07-17 12:42 . 2012-07-17 12:42 -------- d-----w- c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\Temp 2012-07-17 12:42 . 2012-07-17 12:42 -------- d-----w- c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\Google 2012-07-17 12:35 . 2012-07-17 12:35 -------- d-----w- c:\program files\CCleaner 2012-07-17 12:34 . 2012-07-17 12:34 -------- d-----w- c:\documents and settings\Admin\Ustawienia lokalne\Dane aplikacji\Temp 2012-07-17 12:34 . 2012-07-17 12:34 -------- d-----w- c:\program files\Google 2012-07-13 07:36 . 2012-07-13 07:36 9822920 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-07-13 07:36 . 2012-04-24 14:47 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-07-13 07:36 . 2012-04-24 14:47 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-06-02 13:19 . 2011-12-29 21:24 329240 ----a-w- c:\windows\system32\wucltui.dll 2012-06-02 13:19 . 2011-12-29 21:24 210968 ----a-w- c:\windows\system32\wuweb.dll 2012-06-02 13:19 . 2011-12-29 21:24 219160 ----a-w- c:\windows\system32\wuaucpl.cpl 2012-06-02 13:19 . 2009-08-06 18:24 15896 ----a-w- c:\windows\system32\wuapi.dll.mui 2012-06-02 13:19 . 2009-08-06 18:24 24088 ----a-w- c:\windows\system32\wucltui.dll.mui 2012-06-02 13:19 . 2011-12-29 21:24 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 13:19 . 2011-12-29 21:24 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 13:19 . 2011-12-16 19:03 97304 ----a-w- c:\windows\system32\cdm.dll 2012-06-02 13:19 . 2009-08-06 18:24 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 13:19 . 2009-08-06 18:24 16408 ----a-w- c:\windows\system32\wuaucpl.cpl.mui 2012-06-02 13:19 . 2011-12-29 21:24 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 13:19 . 2011-12-29 21:24 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 13:19 . 2009-08-06 18:23 18968 ----a-w- c:\windows\system32\wuaueng.dll.mui 2012-05-31 13:19 . 2011-12-16 19:03 603136 ----a-w- c:\windows\system32\crypt32.dll 2012-05-16 15:08 . 2011-12-16 19:03 920064 ----a-w- c:\windows\system32\wininet.dll 2012-05-15 13:55 . 2011-12-16 19:03 1872384 ----a-w- c:\windows\system32\win32k.sys 2012-05-11 14:43 . 2011-12-16 19:03 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-05-11 14:43 . 2011-12-16 19:03 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2012-05-11 12:13 . 2011-12-16 19:03 385024 ----a-w- c:\windows\system32\html.iec 2012-05-05 03:14 . 2011-10-26 15:19 2070400 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-05-05 03:14 . 2011-12-16 19:03 2193920 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-05-02 13:45 . 2011-12-29 21:20 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-06-19 09:21 . 2012-05-09 09:30 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2011-12-16 . C8BDAD4065118558B3DC360FC96D81DB . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-14 90112] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-08-08 344064] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2011-12-16 15360] . c:\documents and settings\Admin\Menu Start\Programy\Autostart\ OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592] . c:\documents and settings\All Users\Menu Start\Programy\Autostart\ McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-17 272528] QLINK.lnk - c:\program files\Lexmark Applications\QLink\QLINK.EXE [2012-4-10 1346048] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] 2005-05-03 17:43 69632 ----a-w- c:\windows\Alcmtr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] 2006-04-17 14:34 16143872 ----a-w- c:\windows\RTHDCPL.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL] 2006-06-01 12:57 573440 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\SUPDSvc.exe"= "c:\\WINDOWS\\system32\\LMabcoms.exe"= . R0 Si3124;Si3124;c:\windows\system32\drivers\si3124.sys [2011-12-16 69248] R0 Si3531;Si3531;c:\windows\system32\drivers\Si3531.sys [2011-12-16 210736] R2 MSSQL$TITUSPLUSSQL;SQL Server (TITUSPLUSSQL);c:\program files\Microsoft SQL Server\MSSQL10.TITUSPLUSSQL\MSSQL\Binn\sqlservr.exe [2009-03-30 43010392] R3 ZD1211BU(ASUS);ASUS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ASUS);c:\windows\system32\drivers\ZD1211BU.sys [2011-12-31 425472] S2 gupdate;Usługa Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2012-07-17 136176] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-24 250056] S3 gupdatem;Usługa Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2012-07-17 136176] S3 ipswuio;ipswuio;c:\windows\system32\drivers\ipswuio.sys [2011-12-31 34944] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.207\McCHSvc.exe [2011-06-17 237008] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-09 113120] S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [2012-02-13 131888] S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-03-31 47128] S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-03-30 239336] S4 SQLAgent$TITUSPLUSSQL;SQL Server Agent (TITUSPLUSSQL);c:\program files\Microsoft SQL Server\MSSQL10.TITUSPLUSSQL\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936] . Zawartość folderu 'Zaplanowane zadania' . 2012-07-17 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-24 07:36] . 2012-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-07-17 12:34] . 2012-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-07-17 12:34] . . ------- Skan uzupełniający ------- . uStart Page = about:blank mStart Page = about:blank TCP: DhcpNameServer = 192.168.88.1 176.103.32.2 213.199.225.14 FF - ProfilePath - c:\documents and settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\lmcezdey.default\ FF - prefs.js: browser.search.selectedEngine - FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/ FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110819&tt=100512_1_ FF - user.js: extensions.BabylonToolbar_i.babExt - FF - user.js: extensions.BabylonToolbar_i.srcExt - ss FF - user.js: extensions.BabylonToolbar_i.id - ac540c830000000000000018f3cd61b0 FF - user.js: extensions.BabylonToolbar_i.hardId - ac540c830000000000000018f3cd61b0 FF - user.js: extensions.BabylonToolbar_i.instlDay - 15475 FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17 FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17 FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1710:08 FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar FF - user.js: extensions.BabylonToolbar_i.aflt - babsst FF - user.js: extensions.BabylonToolbar_i.smplGrp - none FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9 FF - user.js: extensions.BabylonToolbar_i.instlRef - sst . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-07-18 09:37 Windows 5.1.2600 Dodatek Service Pack 3 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- . [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\( *y“‘|] "DisplayName"="??" "DeviceDesc"="??" "ProviderName"="???\11\08" "MFG"="?\08???" "ReinstallString"=".10.1000.5" "DeviceInstanceIds"=multi:"c:\\documents and settings\\admin\\pulpit\\vga_xp_070423\\sbdrv\\smbus\\smbusati.inf\00" . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'winlogon.exe'(708) c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(2536) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\msi.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\windows\system32\wbem\wmiapsrv.exe c:\program files\OpenOffice.org 3\program\soffice.exe c:\program files\OpenOffice.org 3\program\soffice.bin . ************************************************************************** . Czas ukończenia: 2012-07-18 09:39:20 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2012-07-18 07:39 ComboFix2.txt 2012-07-17 13:33 . Przed: 32 067 436 544 bajtów wolnych Po: 31 971 917 824 bajtów wolnych . WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - FD517E67B992B28E5891D3DC35C3F9AA