ComboFix 12-09-09.02 - Ewa 2012-09-10 13:04:08.3.1 - x86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.3.1250.48.1045.18.1015.803 [GMT 2:00] Uruchomiony z: c:\documents and settings\Ewa\Pulpit\ComboFix.exe * Utworzono nowy punkt przywracania . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\system32\drivers\etc\hosts.ics . c:\windows\system32\srsvc.dll . . . jest zainfekowany!! . . ((((((((((((((((((((((((( Pliki utworzone od 2012-08-10 do 2012-09-10 ))))))))))))))))))))))))))))))) . . 2012-09-09 17:18 . 2012-09-09 17:18 -------- d-----w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\Adobe 2012-09-09 17:17 . 2012-09-09 17:17 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2012-09-09 08:08 . 2012-09-09 08:08 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\ponkeotfjrzdvpw 2012-09-09 08:08 . 2012-09-09 08:08 162816 ----a-w- c:\windows\udzqqhrr.exe 2012-08-13 11:16 . 2012-07-02 17:38 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-07-06 13:58 . 2008-04-14 20:50 78336 ----a-w- c:\windows\system32\browser.dll 2012-07-04 14:05 . 2008-05-17 16:59 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-07-03 18:22 . 2008-04-14 19:35 1866368 ----a-w- c:\windows\system32\win32k.sys 2012-07-02 17:38 . 2008-05-17 16:59 916992 ----a-w- c:\windows\system32\wininet.dll 2012-07-02 17:38 . 2008-05-17 16:58 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-07-02 17:38 . 2008-05-17 16:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2012-07-02 12:05 . 2008-05-17 16:58 385024 ----a-w- c:\windows\system32\html.iec 2010-05-03 18:31 . 2010-05-03 18:31 9057912 -c--a-w- c:\program files\Firefox Setup 3.6.3.exe 2009-02-28 11:35 . 2009-02-28 11:34 3663208 -c--a-w- c:\program files\BSINSTALLPL_(www.programs.pl).exe 2009-02-28 10:55 . 2009-02-28 10:54 16778424 -c--a-w- c:\program files\nowegg.exe 2012-06-09 15:08 . 2012-03-09 08:28 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2008-05-17 . 5E74EB0897F987167666AD8063260DAE . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [BU] . [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0974BA1E-64EC-11DE-B2A5-E43756D89593}] 2009-12-20 09:51 87480 -c--a-w- c:\progra~1\BEARSH~2\MediaBar\ToolBar\BearshareMediabarDx.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}] 2010-06-06 14:38 392112 ----a-w- c:\progra~1\BEARSH~2\MediaBar\DataMngr\IEBHO.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B287B0D7-C3BC-5281-68E1-690F8A225AF5}] c:\documents and settings\All Users\Dane aplikacji\DownloadnSave\bhoclass.dll [BU] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}] c:\program files\Ask.com\GenericAskToolbar.dll [BU] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{0974BA1E-64EC-11DE-B2A5-E43756D89593}"= "c:\progra~1\BEARSH~2\MediaBar\ToolBar\BearshareMediabarDx.dll" [2009-12-20 87480] . [HKEY_CLASSES_ROOT\clsid\{0974ba1e-64ec-11de-b2a5-e43756d89593}] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [BU] . [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928] "ALLUpdate"="d:\programy\Rozrywka\ALLPlayer\ALLUpdate.exe" [2011-08-16 1379840] "udzqqhrrjwqughl"="c:\windows\udzqqhrr.exe" [2012-09-09 162816] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872] "RTHDCPL"="RTHDCPL.EXE" [2007-11-06 16384512] "SkyTel"="SkyTel.EXE" [2007-11-06 1826816] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-06 142104] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-06 162584] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-06 138008] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-06 888832] "NDSTray.exe"="NDSTray.exe" [BU] "ATKHOTKEY"="c:\program files\ATK Hotkey\Hcontrol.exe" [2007-04-24 225280] "LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-01-19 458752] "FBSearch"="c:\program files\Search Guard Plus\SearchGuardPlus.exe" [BU] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152] "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-01-19 221184] "LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-01-19 217088] "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2010-02-04 320168] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] "lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2010-02-04 660136] "lxdnamon"="c:\program files\Lexmark 2600 Series\lxdnamon.exe" [2010-02-04 16040] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_2"="shell32" [X] "nltide_3"="advpack.dll" [2009-03-08 128512] . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) "NoSMHelp"= 1 (0x1) "NoResolveTrack"= 1 (0x1) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) "NoSMHelp"= 1 (0x1) "NoResolveTrack"= 1 (0x1) . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2008-01-11 20:16 39792 ----a-w- d:\programy\Narzędzia\Adobe\Reader 8.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare] c:\program files\BearShare\BearShare.exe [BU] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] d:\programy\Rozrywka\Winamp\winampa.exe [BU] . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"= "c:\\Program Files\\Lexmark 2600 Series\\frun.exe"= "e:\\SopCast\\adv\\SopAdver.exe"= "e:\\SopCast\\SopCast.exe"= "c:\\WINDOWS\\system32\\lxdncoms.exe"= "c:\\Program Files\\Lexmark 2600 Series\\lxdnmon.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdntime.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnjswx.exe"= "c:\\Program Files\\Lexmark 2600 Series\\lxdnlscn.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2008-05-17 264576] S2 gupdate;Usługa Google Update (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?] S2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?] S2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [2012-04-17 94208] S2 regi;regi;c:\windows\system32\drivers\regi.sys [2012-05-26 13880] S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-06-19 3048136] S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-07-13 160944] S3 gupdatem;Usługa Google Update (gupdatem);"c:\program files\Google\Update\GoogleUpdate.exe" /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-26 113120] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Zawartość folderu 'Zaplanowane zadania' . 2012-09-04 c:\windows\Tasks\Norton Security Scan for Ewa.job - c:\progra~1\NORTON~2\Engine\301~1.8\Nss.exe [2011-01-14 00:45] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://search.babylon.com/?affID=113679&tt=010712_5&babsrc=HP_ss&mntrId=c0d66be1000000000000001644a138a7 uDefault_Search_URL = hxxp://www.google.com/ie mStart Page = about:blank uInternet Connection Wizard,ShellNext = iexplore uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&ksport do programu Microsoft Excel - d:\programy\Praca\MICROS~1\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 194.204.152.34 194.204.159.1 FF - ProfilePath - c:\documents and settings\Ewa\Dane aplikacji\Mozilla\Firefox\Profiles\hfefmpb3.default\ FF - prefs.js: browser.search.selectedEngine - Ask.com FF - prefs.js: browser.startup.homepage - hxxp://wp.pl/ FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=SPC2&o=15000&locale=en_US&apn_uid=814B7A7D-7BEF-443E-9575-CB03EEEAAEF0&apn_ptnrs=PV&apn_sauid=F848482D-E142-4D1C-BF5F-C918B35C9362&apn_dtid=YYYYYYYYPL&q= FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=113679&tt=010712_5 FF - user.js: extensions.BabylonToolbar_i.babExt - FF - user.js: extensions.BabylonToolbar_i.srcExt - ss FF - user.js: extensions.BabylonToolbar_i.id - c0d66be1000000000000001644a138a7 FF - user.js: extensions.BabylonToolbar_i.hardId - c0d66be1000000000000001644a138a7 FF - user.js: extensions.BabylonToolbar_i.instlDay - 15523 FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17 FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17 FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1721:55 FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar FF - user.js: extensions.BabylonToolbar_i.aflt - babsst FF - user.js: extensions.BabylonToolbar_i.smplGrp - none FF - user.js: extensions.BabylonToolbar_i.tlbrId - base FF - user.js: extensions.BabylonToolbar_i.instlRef - sst . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-09-10 13:07 Windows 5.1.2600 Dodatek Service Pack 3 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . HKLM\Software\Microsoft\Windows\CurrentVersion\Run FBSearch = c:\program files\Search Guard Plus\SearchGuardPlus.exe? ? ?