ComboFix 10-11-09.02 - KrzyŚ 2010-11-10 14:44:00.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.2047.1588 [GMT 1:00] Uruchomiony z: c:\documents and settings\KrzyŚ\Pulpit\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6} FW: Avira FireWall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6} . ((((((((((((((((((((((((( Pliki utworzone od 2010-10-10 do 2010-11-10 ))))))))))))))))))))))))))))))) . 2010-11-07 14:35 . 2010-11-07 14:39 -------- d-----w- C:\filmy 2010-10-29 08:53 . 2010-10-29 08:53 -------- d-----r- C:\MSOCache 2010-10-25 13:45 . 2010-11-07 14:20 -------- d-----w- C:\Temp 2010-10-24 11:27 . 2010-10-24 11:27 -------- d-----w- C:\SIERRA 2010-10-21 08:58 . 2010-11-09 21:41 -------- d-----w- C:\Downloads 2010-10-20 18:03 . 2010-10-20 18:03 -------- d-----w- C:\totalcmd 2010-10-20 17:38 . 2010-10-20 17:38 -------- d-----w- C:\HattrickOrganizer . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-20 15:05 . 2006-12-17 21:11 7680 ----a-w- c:\windows\system32\drivers\ATKACPI.sys . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864] [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{346FDE31-DFF9-418A-90C8-BA31DC9FF2EF}] 2010-04-21 12:13 3301176 ----a-w- c:\program files\Ant.com\IE add-on\Download.antplugin [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}] 2010-05-26 13:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864] "{2E924F4F-67F0-4BD8-9560-49F468E843D2}"= "c:\program files\Ant.com\IE add-on\AntToolbar.dll" [2010-04-21 162104] [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] [HKEY_CLASSES_ROOT\clsid\{2e924f4f-67f0-4bd8-9560-49f468e843d2}] [HKEY_CLASSES_ROOT\AntToolbar.AntDownloaderToolbar.1] [HKEY_CLASSES_ROOT\TypeLib\{D04CD347-E0F5-4D0C-AA91-D43F16B21157}] [HKEY_CLASSES_ROOT\AntToolbar.AntDownloaderToolbar] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864] "{2E924F4F-67F0-4BD8-9560-49F468E843D2}"= "c:\program files\Ant.com\IE add-on\AntToolbar.dll" [2010-04-21 162104] [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] [HKEY_CLASSES_ROOT\clsid\{2e924f4f-67f0-4bd8-9560-49f468e843d2}] [HKEY_CLASSES_ROOT\AntToolbar.AntDownloaderToolbar.1] [HKEY_CLASSES_ROOT\TypeLib\{D04CD347-E0F5-4D0C-AA91-D43F16B21157}] [HKEY_CLASSES_ROOT\AntToolbar.AntDownloaderToolbar] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\KrzyŚ\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe" [2010-10-20 136176] "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2010-10-20 323392] "Konnekt"="c:\program files\Konnekt\konnekt.exe" [2005-05-24 503808] "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-10-11 14940040] "RayV"="c:\program files\RayV\RayV\RayV.exe" [2010-06-28 2561320] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440] "ATKMEDIA"="c:\program files\ASUS\ATK Media\DMedia.exe" [2008-06-24 159744] "RTHDCPL"="RTHDCPL.EXE" [2010-10-20 17021440] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "MsgTranAgt"="c:\program files\ASUS\ATK Hotkey\MsgTranAgt.exe" [2008-08-18 117304] "HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304] "ATKHOTKEY"="c:\program files\ASUS\ATK Hotkey\HControl.exe" [2008-10-20 166456] "ACU"="c:\program files\Atheros\ACU.exe" [2008-04-09 450648] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-23 98304] "Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2009-12-09 606208] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360] c:\documents and settings\Krzy—\Menu Start\Programy\Autostart\ CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-7-17 49152] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\Konnekt\\konnekt.exe"= "c:\\Program Files\\BitComet\\BitComet.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\RayV\\RayV\\RayV.exe"= "c:\\Program Files\\RayV\\RayV\\RayV.dll"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "7581:TCP"= 7581:TCP:cxnsijfy "20985:TCP"= 20985:TCP:BitComet 20985 TCP "20985:UDP"= 20985:UDP:BitComet 20985 UDP R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2010-10-20 691696] R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [2010-11-09 102856] R2 AntiVirFirewallService;Avira FireWall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [2010-11-09 539304] R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [2010-11-09 339624] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-09 135336] R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [2010-11-09 403624] R2 AntUpdaterService;Ant Toolbar updater service;c:\program files\Ant.com\IE add-on\AntUpdaterService.exe [2010-04-21 142648] R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [2010-11-09 79432] S2 ayqgayin;Universal Shell;c:\windows\system32\svchost.exe -k netsvcs [2004-08-03 14336] S2 ksibmcxso;Server Task;c:\windows\system32\svchost.exe -k netsvcs [2004-08-03 14336] S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs ayqgayin ksibmcxso . Zawartość folderu 'Zaplanowane zadania' 2010-11-10 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job - c:\program files\Ask.com\UpdateTask.exe [2010-05-26 13:23] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.ask.com?o=15161&l=dis uInternet Settings,ProxyOverride = *.local IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: {{70AF6C9F-0818-4cf7-924A-BBDBB24211D3} - {70AF6C9F-0818-4cf7-924A-BBDBB24211D3} - c:\program files\Ant.com\IE add-on\Download.antplugin LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll . - - - - USUNIĘTO PUSTE WPISY - - - - HKCU-Run-ALLUpdate - c:\program files\ALLPlayer\ALLUpdate.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-10 14:59 Windows 5.1.2600 Dodatek Service Pack 2 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ayqgayin] "ServiceDll"="c:\windows\system32\pobtlr.dll" -- [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ksibmcxso] "ServiceDll"="c:\program files\Movie Maker\pobtlr.dll" . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > 'winlogon.exe'(1600) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'lsass.exe'(1656) c:\program files\Avira\AntiVir Desktop\avsda.dll . Czas ukończenia: 2010-11-10 15:14:37 ComboFix-quarantined-files.txt 2010-11-10 14:14 Przed: 5 556 695 040 bajtów wolnych Po: 5 524 774 912 bajtów wolnych - - End Of File - - 1577C34F0D88B450875AD231C9CF1E07