ComboFix 12-09-11.02 - MasterAdmin 2012-09-11 16:59:54.1.1 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.510.93 [GMT 2:00] Uruchomiony z: c:\docume~1\MASTER~1\USTAWI~1\Temp\7ZipSfx.000\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Dane aplikacji\acxzjxsg.exe c:\documents and settings\All Users\Dane aplikacji\Bcool c:\documents and settings\All Users\Dane aplikacji\Bcool\background.html c:\documents and settings\All Users\Dane aplikacji\Bcool\bhoclass.dll c:\documents and settings\All Users\Dane aplikacji\Bcool\content.js c:\documents and settings\All Users\Dane aplikacji\Bcool\data\content.js c:\documents and settings\All Users\Dane aplikacji\Bcool\data\jsondb.js c:\documents and settings\All Users\Dane aplikacji\Bcool\ipecdmpmljflcnhcpembbfpkgcjdhgfi.crx c:\documents and settings\All Users\Dane aplikacji\Bcool\settings.ini c:\documents and settings\All Users\Dane aplikacji\Bcool\uninstall.exe c:\documents and settings\User\0.7366220653478982.exe c:\program files\Setup.exe c:\program files\StartSearch plugin c:\program files\StartSearch plugin\IEhelperActiveX.dll c:\program files\StartSearch plugin\startsplg.crx c:\program files\StartSearch plugin\uninst.exe c:\program files\Web Assistant\ExTEnsion32.dll C:\Uninstall.exe c:\windows\system32\a888df2d.dll c:\windows\system32\msconfig.exe c:\windows\system32\NEW13.tmp c:\windows\system32\NEW14.tmp c:\windows\system32\NEWD.tmp . . ((((((((((((((((((((((((( Pliki utworzone od 2012-08-11 do 2012-09-11 ))))))))))))))))))))))))))))))) . . 2012-09-11 14:48 . 2012-09-11 14:48 -------- d-----w- c:\documents and settings\MasterAdmin 2012-09-09 15:18 . 2012-09-09 15:18 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\lptrriigvkrrsdg 2012-09-09 15:17 . 2012-09-09 15:17 162816 ----a-w- c:\windows\acxzjxsg.exe 2012-08-29 13:02 . 2012-08-29 13:02 -------- d-----w- c:\program files\LogMeIn Hamachi . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-02-05 18:56 . 2012-02-05 16:58 1699258328 ----a-w- c:\program files\Rappelz_PL.exe 2011-01-20 14:02 . 2011-01-20 14:02 2994176 ----a-w- c:\program files\openofficeorg33.msi 2012-09-08 07:04 . 2012-09-08 07:03 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2007-03-24 . 0FB6743E937C7BB248B2530A5A77ABC6 . 360576 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys . . [-] 2007-03-22 . A451F3AF95B9E681EAA6105630E1B5D5 . 1431552 . . [6.00.2900.2649] . . c:\windows\explorer.exe . [-] 2004-08-03 . 703050D68720691186C3D94C2AB9A2D1 . 227328 . . [5.1.2600.2180] . . c:\windows\regedit.exe . . [-] 2007-03-22 . A2B45B10EEA1FE5C58C9C086E2036E8A . 2984448 . . [5.1.2600.3051] . . c:\windows\system32\ntkrnlpa.exe . [-] 2007-03-22 . A18F81D907D994C3D19A58A87EEB41A5 . 3161472 . . [5.1.2600.3023] . . c:\windows\system32\ntoskrnl.exe . c:\windows\System32\wuauclt.exe ... - brak elementu !! c:\windows\System32\regsvc.dll ... - brak elementu !! . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8f3c1d75-d467-43c2-9a36-655366b76f5f}] 2011-05-09 09:49 176936 ----a-w- c:\program files\Softonic-Polska_\prxtbSof1.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{8f3c1d75-d467-43c2-9a36-655366b76f5f}"= "c:\program files\Softonic-Polska_\prxtbSof1.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{8f3c1d75-d467-43c2-9a36-655366b76f5f}] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nwiz"="nwiz.exe" [2009-04-30 1657376] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-30 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272] "BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-04 346320] "RTHDCPL"="RTHDCPL.EXE" [2009-12-08 18789920] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696] "Microsoft(R) Windows(R) Operating System"="c:\documents and settings\User\Pulpit\Minecraft server\exphack_metin\FishingBot.exe" [2009-02-27 560128] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208] "Browsers Protector"="c:\program files\Browsers Protector\regmon32.exe" [2012-02-15 147784] "LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-08-29 1996200] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_2"="shell32" [X] "nltide_3"="advpack.dll" [2007-03-24 123904] . c:\documents and settings\All Users\Menu Start\Programy\Autostart\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableStatusMessages"= 1 (0x1) . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"= 1 (0x1) "NoSMMyPictures"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoResolveTrack"= 1 (0x1) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"= 1 (0x1) "ForceClassicControlPanel"= 1 (0x1) "NoSMMyPictures"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoResolveTrack"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\Techland\\Call of Juarez\\CoJ.exe"= "c:\\Documents and Settings\\User\\Pulpit\\Metek\\metin2.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"= "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"= "c:\\Documents and Settings\\User\\Pulpit\\Metek\\metin2client.bin"= "c:\\Program Files\\Gadu-Gadu 10\\gg.exe"= "c:\\Program Files\\Counter-Strike\\cstrike.exe"= "c:\\Program Files\\Counter-Strike\\hl.exe"= "c:\\Program Files\\Counter-Strike\\hlds.exe"= "c:\\Program Files\\Counter-Strike\\hltv.exe"= "c:\\Program Files\\XenoX_MT2_Klient(nowy patch 03.09.2011r)\\XenoxMT2 Launcher.exe"= "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Documents and Settings\\User\\Ustawienia lokalne\\Dane aplikacji\\MediaGet2\\mediaget.exe"= "c:\\Documents and Settings\\User\\Pulpit\\Trool\\Call.Of.Juarez.no.Dvd.serials.key.exe"= "c:\\Documents and Settings\\User\\Temp\\{12583F27-77F2-B1BC-5357-3FD0C9BB1DD1}\\Addons\\incredibar_install.exe"= "c:\\Documents and Settings\\User\\Pulpit\\XenoXMT2client_11.02.2012r_by_Pawemol\\XenoxMT2 Launcher.exe"= "c:\\Documents and Settings\\User\\Pulpit\\Skype.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "57541:TCP"= 57541:TCP:Pando Media Booster "57541:UDP"= 57541:UDP:Pando Media Booster . R0 pe3alvyb;Call of Juarez 4.7 Environment Driver (pe3alvyb);c:\windows\system32\drivers\pe3alvyb.sys [2007-07-23 65160] R0 ps6alvyb;Call of Juarez 4.7 Synchronization Driver (ps6alvyb);c:\windows\system32\drivers\ps6alvyb.sys [2007-07-23 68752] R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [2006-07-05 63352] R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?] R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2012-08-29 1385896] R3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [2012-05-21 7680] S2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [2011-07-24 219360] S2 pr2alvyb;Call of Juarez 4.7 Drivers Auto Removal (pr2alvyb);c:\windows\system32\pr2alvyb.exe svc --> c:\windows\system32\pr2alvyb.exe svc [?] S2 Web Assistant Updater;Web Assistant Updater;c:\program files\Web Assistant\ExtensionUpdaterService.exe [2012-05-22 185856] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-07-24 1691480] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-04 114144] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Zawartość folderu 'Zaplanowane zadania' . 2012-09-07 c:\windows\Tasks\Norton Security Scan for User.job - c:\progra~1\NORTON~2\Engine\351~1.6\Nss.exe [2011-08-27 00:45] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://home.sweetim.com/?crg=3.1030000.103000&st=12 mStart Page = hxxp://home.sweetim.com/?crg=3.1030000.103000&st=12 TCP: DhcpNameServer = 192.168.1.1 FF - ProfilePath - c:\documents and settings\MasterAdmin\Dane aplikacji\Mozilla\Firefox\Profiles\5vke01g7.default\ . - - - - USUNIĘTO PUSTE WPISY - - - - . BHO-{46bc9564-02f3-79f9-1f5f-c8d1943ac00c} - c:\windows\system32\a888df2d.dll BHO-{6783B358-C877-B403-A020-A376B8039F74} - c:\documents and settings\All Users\Dane aplikacji\Bcool\bhoclass.dll HKLM-Run-DriverCD - E:\Run.exe AddRemove-1ClickDownloader - c:\documents and settings\User\Pulpit\uninst.exe AddRemove-StartSearch Toolbar - c:\program files\StartSearch plugin\uninst.exe AddRemove-{20E7BC40-33F6-4A81-9D52-B58349326206} - c:\documents and settings\All Users\Dane aplikacji\Bcool\uninstall.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-09-11 17:05 Windows 5.1.2600 Dodatek Service Pack 2 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . Czas ukończenia: 2012-09-11 17:06:55 ComboFix-quarantined-files.txt 2012-09-11 15:06 . Przed: 20 091 166 720 bajtów wolnych Po: 20 084 314 112 bajtów wolnych . WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer . - - End Of File - - 2F2A02DA7317E00B12FB795506438289