ComboFix 12-07-14.01 - A 2012-07-15 21:45:24.1.1 - x86 NETWORK Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1250.48.1045.18.893.518 [GMT 2:00] Uruchomiony z: c:\users\A\Desktop\ComboFix.exe AV: Norton 360 *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855} FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E} SP: Norton 360 *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files\Complitly c:\program files\Complitly\chrome\ComplitlyChrome.crx c:\program files\Complitly\FireFoxExtension.exe c:\program files\Complitly\InstTracker.exe c:\program files\Complitly\support@Complitly.com\chrome.manifest c:\program files\Complitly\support@Complitly.com\chrome\content\appIcon.png c:\program files\Complitly\support@Complitly.com\chrome\content\browserOverlay.xul c:\program files\Complitly\support@Complitly.com\chrome\content\options.js c:\program files\Complitly\support@Complitly.com\chrome\content\options.xul c:\program files\Complitly\support@Complitly.com\chrome\content\utils.js c:\program files\Complitly\support@Complitly.com\defaults\preferences\predictad.js c:\program files\Complitly\support@Complitly.com\install.rdf c:\program files\Complitly\unins000.dat c:\program files\Complitly\unins000.exe c:\program files\DealPly c:\program files\DealPly\DealPly.crx c:\program files\DealPly\DealPlyIE.dll c:\program files\DealPly\DealPlyTune.dll c:\program files\DealPly\DealPlyUpdate.exe c:\program files\DealPly\DealPlyUpdate.log c:\program files\DealPly\DealPlyUpdateRun.exe c:\program files\DealPly\icon.ico c:\program files\DealPly\uninst.exe c:\users\A\AppData\Roaming\.# c:\windows\IsUn0415.exe c:\windows\system32\drivers\etc\hosts.ics . . ((((((((((((((((((((((((( Pliki utworzone od 2012-06-15 do 2012-07-15 ))))))))))))))))))))))))))))))) . . 2047-12-31 22:00 . 2011-10-18 14:23 -------- d-----w- C:\odzyskany 2012-07-15 19:53 . 2012-07-15 19:54 -------- d-----w- c:\users\A\AppData\Local\temp 2012-07-15 19:53 . 2012-07-15 19:53 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-07-14 05:24 . 2008-03-17 09:57 103680 ----a-w- c:\windows\system32\drivers\ewusbfake.sys 2012-07-14 05:24 . 2008-03-17 09:05 101632 ----a-r- c:\windows\system32\drivers\ewusbmdm.sys 2012-07-14 05:24 . 2008-03-16 12:47 872192 ----a-w- c:\windows\system32\drivers\mod7700.sys 2012-07-14 05:24 . 2008-01-22 13:10 100864 ----a-w- c:\windows\system32\drivers\ewusbnet.sys 2012-07-14 05:24 . 2007-08-09 02:06 23424 ----a-r- c:\windows\system32\drivers\ewdcsc.sys 2012-07-14 05:24 . 2012-07-14 05:25 -------- d-----w- c:\program files\PLAY ONLINE 2012-07-06 17:57 . 2012-07-06 17:57 -------- d-----w- c:\users\A\AppData\Roaming\hellomoto 2012-06-23 14:28 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-23 14:28 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-23 14:28 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-23 14:28 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll 2012-06-23 14:28 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-23 14:28 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-23 14:28 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll 2012-06-23 14:26 . 2012-06-02 13:19 171904 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-23 14:26 . 2012-06-02 13:12 33792 ----a-w- c:\windows\system32\wuapp.exe . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-05-17 22:45 . 2012-06-14 17:54 1800192 ----a-w- c:\windows\system32\jscript9.dll 2012-05-17 22:35 . 2012-06-14 17:54 1129472 ----a-w- c:\windows\system32\wininet.dll 2012-05-17 22:35 . 2012-06-14 17:54 1427968 ----a-w- c:\windows\system32\inetcpl.cpl 2012-05-17 22:29 . 2012-06-14 17:54 142848 ----a-w- c:\windows\system32\ieUnatt.exe 2012-05-17 22:24 . 2012-06-14 17:55 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-05-15 19:51 . 2012-06-13 11:24 2045440 ----a-w- c:\windows\system32\win32k.sys 2012-05-01 14:03 . 2012-06-13 11:24 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-04-23 16:00 . 2012-06-13 11:25 984064 ----a-w- c:\windows\system32\crypt32.dll 2012-04-23 16:00 . 2012-06-13 11:25 133120 ----a-w- c:\windows\system32\cryptsvc.dll 2012-04-23 16:00 . 2012-06-13 11:25 98304 ----a-w- c:\windows\system32\cryptnet.dll . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152] "{d43723ae-1ae1-4a25-a6a4-bf0929273cab}"= "c:\program files\Ashampoo_PO\prxtbAsha.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}] . [HKEY_CLASSES_ROOT\clsid\{d43723ae-1ae1-4a25-a6a4-bf0929273cab}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}] 2012-01-03 15:31 1514152 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d43723ae-1ae1-4a25-a6a4-bf0929273cab}] 2011-05-09 08:49 176936 ----a-w- c:\program files\Ashampoo_PO\prxtbAsha.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}] 2012-02-19 12:46 1337648 ----a-r- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152] "{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2012-02-19 1337648] "{d43723ae-1ae1-4a25-a6a4-bf0929273cab}"= "c:\program files\Ashampoo_PO\prxtbAsha.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] . [HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}] [HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1] [HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}] [HKEY_CLASSES_ROOT\SWEETIE.IEToolbar] . [HKEY_CLASSES_ROOT\clsid\{d43723ae-1ae1-4a25-a6a4-bf0929273cab}] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{D43723AE-1AE1-4A25-A6A4-BF0929273CAB}"= "c:\program files\Ashampoo_PO\prxtbAsha.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{d43723ae-1ae1-4a25-a6a4-bf0929273cab}] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-13 413696] "Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-06 39408] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240] "TimeDateMUICallback"="c:\users\A\AppData\Local\Microsoft\Windows\355\TimeDateMUICallback.exe" [2012-07-06 49664] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-02 409264] "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-01-02 493112] "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-11 530552] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-11 90112] "RtHDVCpl"="RtHDVCpl.exe" [2006-11-01 3772416] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104] "TOSHIBA Volume Indicator"="c:\program files\Toshiba\Utilities\VolControl.exe" [2006-12-13 94208] "NDSTray.exe"="NDSTray.exe" [BU] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-04 155648] "topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2006-12-15 577536] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-01-15 37376] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048] "osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] "ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-01-03 1391272] "SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2012-02-16 114992] "Sweetpacks Communicator"="c:\program files\SweetIM\Communicator\SweetPacksUpdateManager.exe" [2012-02-26 295728] . c:\users\A\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Spis treści programu OneNote.onetoc2 [2012-2-19 3656] Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . --- Inne Usługi/Sterowniki w Pamięci --- . *NewlyCreated* - COMHOST *NewlyCreated* - ECACHE . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . Zawartość folderu 'Zaplanowane zadania' . 2012-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 09:53] . 2012-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 09:53] . 2012-07-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1922721550-4202307872-3142600702-1000Core.job - c:\users\A\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-22 14:10] . 2012-07-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1922721550-4202307872-3142600702-1000UA.job - c:\users\A\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-22 14:10] . 2012-07-06 c:\windows\Tasks\Norton Security Scan for A.job - c:\progra~1\NORTON~3\Engine\301~1.8\Nss.exe [2011-01-17 00:45] . 2011-09-13 c:\windows\Tasks\User_Feed_Synchronization-{8B1411EE-E680-4AEF-98EB-5EA8C5009A48}.job - c:\windows\system32\msfeedssync.exe [2012-02-16 02:29] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.pl/ mStart Page = hxxp://home.sweetim.com IE: &Winamp Toolbar Search - c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: Interfaces\{2B79728E-7D87-423F-B8E4-058C915C73A9}: NameServer = 217.30.129.149,217.30.137.200 . - - - - USUNIĘTO PUSTE WPISY - - - - . HKCU-Run-Expressivo - c:\program files\ivo\Expressivo Demo\expressivo.exe AddRemove-Complitly_is1 - c:\program files\Complitly\unins000.exe AddRemove-DealPly - c:\program files\DealPly\uninst.exe AddRemove-vghd - c:\users\A\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VirtuaGirl HD\uninstall.lnk . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-07-15 21:54 Windows 6.0.6002 Service Pack 2 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . HKCU\Software\Microsoft\Windows\CurrentVersion\Run TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i???????Ql?B?? ???H????????????? . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'Explorer.exe'(428) c:\windows\system32\ieframe.dll . Czas ukończenia: 2012-07-15 21:58:42 ComboFix-quarantined-files.txt 2012-07-15 19:58 . Przed: 23 291 404 288 bajtów wolnych Po: 23 747 518 464 bajtów wolnych . - - End Of File - - 1F4FA94E5BF04AE7BD1FF69896EA302E