ComboFix 12-07-20.01 - cziken 2012-07-20 11:55:22.1.2 - x86 NETWORK Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1250.48.1045.18.3062.2646 [GMT 2:00] Uruchomiony z: c:\users\cziken\Downloads\ComboFix.exe * Utworzono nowy punkt przywracania . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . Zainfekowana kopia c:\windows\System32\autochk.exe została znaleziona. Problem naprawiono Plik odzyskano z - c:\windows\SoftwareDistribution\Download\2b4e48d0ede6112a59b10e3704a22eee\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6001.18000_none_e1f3ed49c1c122ef\autochk.exe . . ((((((((((((((((((((((((( Pliki utworzone od 2012-06-20 do 2012-07-20 ))))))))))))))))))))))))))))))) . . 2012-07-20 10:03 . 2012-07-20 10:06 -------- d-----w- c:\users\cziken\AppData\Local\temp 2012-07-20 10:03 . 2012-07-20 10:03 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-07-20 07:02 . 2012-07-20 08:25 17408 ----a-w- c:\windows\system32\rpcnetp.dll 2012-07-20 07:01 . 2012-07-20 09:51 17408 ----a-w- c:\windows\system32\rpcnetp.exe 2012-07-15 23:15 . 2012-07-20 06:56 -------- d-----w- c:\users\cziken\AppData\Roaming\hellomoto 2012-07-12 06:08 . 2012-07-19 00:08 -------- d-----w- c:\users\cziken\AppData\Roaming\Toubin 2012-07-12 06:08 . 2012-07-12 06:08 -------- d-----w- c:\users\cziken\AppData\Roaming\Keme 2012-07-11 23:07 . 2012-07-11 23:07 -------- d-----w- c:\users\cziken\AppData\Roaming\Wyunow 2012-07-11 21:32 . 2012-07-20 07:03 -------- d-----w- c:\users\cziken\AppData\Roaming\Icax 2012-07-11 21:32 . 2012-07-11 21:32 -------- d-----w- c:\users\cziken\AppData\Roaming\Agyvov 2012-07-08 10:26 . 2012-07-08 10:26 -------- d-----w- c:\programdata\dvdfab 2012-07-08 10:19 . 2012-07-08 10:20 -------- d-----w- c:\program files\DVDFab 8 Qt 2012-07-03 18:09 . 2012-07-03 18:09 -------- d-----w- c:\program files\Application Updater 2012-07-03 18:08 . 2012-07-03 18:09 -------- d-----w- c:\program files\YouTube Downloader Toolbar 2012-07-03 18:08 . 2012-07-03 18:08 -------- d-----w- c:\program files\Common Files\Spigot 2012-06-26 20:10 . 2012-06-26 20:10 -------- d-----w- c:\program files\CDex 2012-06-23 06:00 . 2012-06-23 06:00 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll 2012-06-23 06:00 . 2012-06-23 06:00 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-07-20 06:51 . 2012-02-18 17:37 44544 ----a-w- c:\windows\system32\agremove.exe 2012-06-28 18:23 . 2012-05-05 19:32 476976 ----a-w- c:\windows\system32\npdeployJava1.dll 2012-06-28 18:23 . 2012-02-18 16:58 472880 ----a-w- c:\windows\system32\deployJava1.dll 2012-06-20 07:39 . 2012-04-01 21:06 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-06-20 07:39 . 2012-02-18 17:31 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-07-20 07:08 . 2012-02-18 16:59 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63e8ff83-293b-51e1-17b8-d8f4c309bc3d}] c:\windows\system32\ff6ece88.dll [BU] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2012-02-19 1232896] "TOSCDSPD"="TOSCDSPD.EXE" [BU] "Facebook Update"="c:\users\cziken\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096] "Ozitge"="c:\users\cziken\AppData\Roaming\Touzak\ibez.exe" [BU] "Dozymoqe"="c:\users\cziken\AppData\Roaming\Soeh\cuze.exe" [BU] "UIAutomationCore"="c:\users\cziken\AppData\Local\Microsoft\Windows\2247\UIAutomationCore.exe" [2012-07-15 51200] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-25 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-25 154136] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-25 129560] "NDSTray.exe"="NDSTray.exe" [BU] "ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-29 1029416] "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-25 413696] "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456] "HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-10-31 54608] "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-01-25 509816] "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704] "Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2007-05-04 571024] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "Browsers Protector"="c:\program files\Browsers Protector\regmon32.exe" [2012-02-15 147784] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] "SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2012-06-27 1090440] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-1-25 2938184] . c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2007-7-27 389120] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux1"=wdmaud.drv . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 . R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x] . . Zawartość folderu 'Zaplanowane zadania' . 2012-07-19 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3528662731-480313372-4151236620-1000Core.job - c:\users\cziken\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-21 21:26] . 2012-07-20 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3528662731-480313372-4151236620-1000UA.job - c:\users\cziken\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-21 21:26] . 2012-02-18 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-05 14:10] . 2012-02-18 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-05 14:10] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://startsear.ch/?aff=1&cf=e8784d90-8666-11e1-8f4b-001e685d3713 mStart Page = hxxp://startsear.ch/?aff=1&cf=e8784d90-8666-11e1-8f4b-001e685d3713 TCP: DhcpNameServer = 194.168.4.100 194.168.8.100 FF - ProfilePath - c:\users\cziken\AppData\Roaming\Mozilla\Firefox\Profiles\smu426ow.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://startsear.ch/?aff=1&cf=e8784d90-8666-11e1-8f4b-001e685d3713 FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p= FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-07-20 12:05 Windows 6.0.6000 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\McAfee\MPF\MPFSrv.exe c:\windows\System32\rundll32.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\mcafee.com\agent\mcagent.exe c:\windows\helppane.exe c:\progra~1\mcafee\msc\mcuimgr.exe . ************************************************************************** . Czas ukończenia: 2012-07-20 12:10:08 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2012-07-20 10:09 ComboFix2.txt 2012-07-20 08:37 . Przed: 28 453 228 544 bajtów wolnych Po: 28 235 165 696 bajtów wolnych . - - End Of File - - 07BE09B8FEBEDAEDCE4E9BD1F3458FA2