ComboFix 12-08-10.02 - Joker_PC 2012-08-12 19:00:26.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.894.551 [GMT 2:00] Uruchomiony z: c:\documents and settings\Joker_PC\Moje dokumenty\Pobieranie\ComboFix_www.INSTALKI.pl.exe AV: Kaspersky Internet Security *Disabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0} . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\1.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\4489.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\450.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\a.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\b.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\c.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\d.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\e.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\f.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\g.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\h.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\i.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\j.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\k.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\l.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\m.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\n.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\o.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\p.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\q.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\r.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\s.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\t.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\u.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\v.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\w.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\wlu.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\x.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\y.txt c:\documents and settings\Joker_PC\Dane aplikacji\PriceGong\Data\z.txt c:\documents and settings\Joker_PC\Ustawienia lokalne\Dane aplikacji\ahckbuap.log c:\documents and settings\Joker_PC\Ustawienia lokalne\Dane aplikacji\hkrtpwnx.log c:\documents and settings\Joker_PC\Ustawienia lokalne\Dane aplikacji\ibyhltux.log c:\documents and settings\Joker_PC\Ustawienia lokalne\Dane aplikacji\jxoajexo.log c:\documents and settings\Joker_PC\Ustawienia lokalne\Dane aplikacji\mtmrrpes.log c:\documents and settings\Joker_PC\Ustawienia lokalne\Dane aplikacji\snwwfssx.log c:\documents and settings\Joker_PC\Ustawienia lokalne\Dane aplikacji\tasxjmyl.log c:\documents and settings\Joker_PC\Ustawienia lokalne\Dane aplikacji\vsjuvldr.log c:\documents and settings\Joker_PC\Ustawienia lokalne\Dane aplikacji\xkafviyd.log c:\documents and settings\Joker_PC\Ustawienia lokalne\Dane aplikacji\xxnomxmn\gefbwxse.exe c:\windows\$NtUninstallKB12611$ c:\windows\$NtUninstallKB12611$\2068990481\@ c:\windows\$NtUninstallKB12611$\2068990481\cfg.ini c:\windows\$NtUninstallKB12611$\2068990481\Desktop.ini c:\windows\$NtUninstallKB12611$\2068990481\L\rdoryidy c:\windows\$NtUninstallKB12611$\2068990481\oemid c:\windows\$NtUninstallKB12611$\2068990481\U\00000001.@ c:\windows\$NtUninstallKB12611$\2068990481\U\00000002.@ c:\windows\$NtUninstallKB12611$\2068990481\U\00000004.@ c:\windows\$NtUninstallKB12611$\2068990481\U\80000000.@ c:\windows\$NtUninstallKB12611$\2068990481\U\80000004.@ c:\windows\$NtUninstallKB12611$\2068990481\U\80000032.@ c:\windows\$NtUninstallKB12611$\2068990481\version c:\windows\$NtUninstallKB12611$\2900560903 c:\windows\system32\dds_trash_log.cmd . . ((((((((((((((((((((((((( Pliki utworzone od 2012-07-12 do 2012-08-12 ))))))))))))))))))))))))))))))) . . 2012-08-11 14:19 . 2012-08-12 17:16 -------- d-----w- c:\documents and settings\Joker_PC\Ustawienia lokalne\Dane aplikacji\xxnomxmn 2012-08-07 12:30 . 2012-08-10 19:19 -------- d-----w- c:\program files\JDownloader 2012-08-07 12:28 . 2012-08-07 12:28 -------- d-----w- c:\program files\Common Files\Java 2012-08-07 12:26 . 2012-08-07 12:26 -------- d-----w- c:\program files\Oracle 2012-08-07 12:25 . 2012-07-05 20:07 143872 ----a-w- c:\windows\system32\javacpl.cpl 2012-08-07 12:25 . 2012-08-07 12:25 -------- d-----w- c:\program files\Java 2012-08-02 15:29 . 2012-08-02 15:29 -------- d-----w- c:\windows\system32\Adobe 2012-07-29 20:49 . 2012-07-29 21:01 -------- d-----w- C:\2012-07 (lip) 2012-07-21 12:51 . 2012-07-21 12:51 -------- d-----w- c:\documents and settings\Joker_PC\Ustawienia lokalne\Dane aplikacji\Sun 2012-07-21 12:46 . 2012-07-21 12:46 -------- d-----w- c:\documents and settings\Joker_PC\Dane aplikacji\Oracle 2012-07-21 12:46 . 2012-07-05 20:06 772544 ----a-w- c:\windows\system32\npDeployJava1.dll 2012-07-13 19:12 . 2012-07-13 19:12 -------- d-----w- c:\documents and settings\Joker_PC\Ustawienia lokalne\Dane aplikacji\DOSBox 2012-07-13 19:12 . 2012-07-14 11:33 -------- d-----w- c:\program files\DOSBox-0.74 . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-07-05 20:06 . 2011-02-16 13:52 687544 ----a-w- c:\windows\system32\deployJava1.dll 2012-06-17 13:32 . 2012-06-17 13:32 477240 ----a-w- c:\windows\system32\drivers\sptd.sys . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2012-01-05 75624] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VTTimer"="VTTimer.exe" [2008-08-24 53248] "HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2006-09-29 720896] "SMSERIAL"="c:\windows\sm56hlpr.exe" [2008-08-25 565248] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-02-26 153136] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-25 49152] "Adobe Reader Speed Launcher"="c:\tools\Adobe\reader\Reader\Reader_sl.exe" [2007-05-11 40048] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592] "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704] "AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe" [2012-06-30 365336] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\Joker_PC\Ustawienia lokalne\Dane aplikacji\xxnomxmn\gefbwxse.exe" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\tools\\Gadu-Gadu\\gg.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "d:\\Tools\\uTorrent\\utorrent.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service . R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?] R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-06-09 11352] R2 TomTomHOMEService;TomTomHOMEService;d:\tools\TomTom HOME 2\TomTomHOMEService.exe [2012-01-23 92592] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-05-07 32856] R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-02 19472] R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\Joker_PC\USTAWI~1\Temp\npgiwuoq.sys --> c:\docume~1\Joker_PC\USTAWI~1\Temp\npgiwuoq.sys [?] S2 AxAutoMntSrv;Alcohol Virtual Drive Auto-mount Service;c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe [2012-01-05 75624] S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-02-29 158856] S3 CT_QUALCOMM_U_drv;Qualcomm EVDO USB Device for Serial Communication;c:\windows\system32\DRIVERS\CT_QUALCOMM_U_drv.sys --> c:\windows\system32\DRIVERS\CT_QUALCOMM_U_drv.sys [?] S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2011-02-27 16472] S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2011-02-27 11104] S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [2011-12-28 47176] S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [2011-12-28 58112] S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [2006-07-03 217600] S3 USBSER34;USBSER34;c:\windows\system32\drivers\USBSER34.SYS [2011-06-23 37456] . --- Inne Usługi/Sterowniki w Pamięci --- . *NewlyCreated* - MICORSOFT_WINDOWS_SERVICE . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs avgclean . . ------- Skan uzupełniający ------- . uStart Page = hxxp://google.co.uk/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: {{B46B0919-62BA-4D99-A5C4-916B57A6805C} - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - c:\program files\Techland\Common\InternetTranslator\InternetTranslator.dll TCP: DhcpNameServer = 192.168.1.254 FF - ProfilePath - c:\documents and settings\Joker_PC\Dane aplikacji\Mozilla\Firefox\Profiles\b415q0ki.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ . - - - - USUNIĘTO PUSTE WPISY - - - - . HKCU-Run-GefBwxse - c:\documents and settings\Joker_PC\Ustawienia lokalne\Dane aplikacji\xxnomxmn\gefbwxse.exe HKLM-Run-hpqSRMon - (no file) AddRemove-SLABCOMM&10C4&EA60 - c:\program files\Silabs\MCU\CP210x\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60 AddRemove-{7585478E9D9B42108671C12F8714CEFE} - c:\tools\DivX\DivXConverterUninstall.exe AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\tools\DivX\DivXCodecUninstall.exe AddRemove-{B13A7C41581B411290FBC0395694E2A9} - c:\tools\DivX\DivXConverterUninstall.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-08-12 19:18 Windows 5.1.2600 Dodatek Service Pack 2 NTFS . detected NTDLL code modification: ZwQueryDirectoryFile . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . HKLM\Software\Microsoft\Windows\CurrentVersion\Run HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1???????????????????????????????????????????????? . skanowanie ukrytych plików ... . . c:\documents and settings\Joker_PC\Moje dokumenty\Menu Start\Programy\Autostart\gefbwxse.exe 94456 bytes executable . skanowanie pomyślnie ukończone ukryte pliki: 1 . ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'explorer.exe'(3504) c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\VTTimer.exe c:\windows\system32\rundll32.exe c:\progra~1\MICROS~3\rapimgr.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe c:\windows\system32\wdfmgr.exe c:\program files\VMware\VMware Workstation\vmware-authd.exe c:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe c:\windows\system32\vmnat.exe c:\windows\system32\vmnetdhcp.exe c:\windows\system32\wscntfy.exe c:\windows\system32\wbem\wmiapsrv.exe . ************************************************************************** . Czas ukończenia: 2012-08-12 19:20:46 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2012-08-12 17:20 . Przed: 6 535 053 312 bajtów wolnych Po: 7 777 943 552 bajtów wolnych . WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - C2A264617AA15D24848D3F98B0ACCC40