ComboFix 12-10-18.03 - Andrzej 2012-10-18 21:07:34.3.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2047.1579 [GMT 2:00] Uruchomiony z: c:\documents and settings\Andrzej\Pulpit\ComboFix.exe Użyto następujących komend :: c:\documents and settings\Andrzej\Pulpit\CFScript.txt . FILE :: "c:\documents and settings\All Users\Menu Start\Programy\Autostart\$McRebootA5E6DEAA56$.lnk" . . ((((((((((((((((((((((((( Pliki utworzone od 2012-09-18 do 2012-10-18 ))))))))))))))))))))))))))))))) . . 2012-10-18 15:51 . 2012-10-18 15:51 -------- d-----w- c:\program files\LSoft Technologies 2012-10-18 09:40 . 2012-10-18 09:40 -------- d-----w- C:\_OTL 2012-10-11 22:02 . 2012-10-18 17:29 -------- d-----w- C:\UsbFix 2012-10-09 16:02 . 2012-10-09 16:02 -------- d-----w- c:\documents and settings\Andrzej\Dane aplikacji\Media Player Classic 2012-09-24 14:23 . 2012-09-24 14:23 -------- d-----w- c:\documents and settings\Andrzej\Ustawienia lokalne\Dane aplikacji\Help 2012-09-22 11:07 . 2012-09-22 11:11 -------- d-----w- c:\documents and settings\Andrzej\Dane aplikacji\ExpressFiles . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-10-12 21:03 . 2012-10-12 21:03 3381872 ----a-w- C:\UsbFix_Upload_Me_ANDRZEJLAP.zip 2012-09-10 14:50 . 2012-09-10 14:51 73728 ----a-w- c:\winnt\system32\javacpl.cpl 2012-09-10 14:50 . 2012-09-10 14:51 477168 ----a-w- c:\winnt\system32\npdeployJava1.dll 2012-09-10 14:50 . 2012-03-27 16:20 473072 ----a-w- c:\winnt\system32\deployJava1.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [7] 2012-05-05 . F0E6C89AB059B7CDD7991940C634889A . 2193920 . . [5.1.2600.6223] . . c:\winnt\Driver Cache\i386\ntoskrnl.exe [-] 2012-05-05 . 7F7B62984E191AC852637A657993F907 . 2193920 . . [5.1.2600.6223] . . c:\winnt\system32\ntoskrnl.exe [7] 2012-05-05 . F0E6C89AB059B7CDD7991940C634889A . 2193920 . . [5.1.2600.6223] . . c:\winnt\system32\dllcache\ntoskrnl.exe [7] 2012-05-05 . 73EBA89776A0BD9D359AAAEBB152BCDB . 2193920 . . [5.1.2600.6223] . . c:\winnt\$hf_mig$\KB2707511\SP3QFE\ntoskrnl.exe [7] 2012-04-11 . 7F1A4FFC01C9218C3EA1FFC8DCEC4171 . 2193920 . . [5.1.2600.6206] . . c:\winnt\$NtUninstallKB2707511$\ntoskrnl.exe [7] 2012-04-11 . 833DE0A926DA4CCBCE6DD67FEDCC3EB2 . 2193920 . . [5.1.2600.6206] . . c:\winnt\$hf_mig$\KB2676562\SP3QFE\ntoskrnl.exe [7] 2011-10-26 . 61B8C37768680B3CFBBA9E13983D2C3C . 2194048 . . [5.1.2600.6165] . . c:\winnt\$NtUninstallKB2676562$\ntoskrnl.exe [7] 2011-10-26 . 1B2010D88940E442770AD3B8A7F45330 . 2194048 . . [5.1.2600.6165] . . c:\winnt\$hf_mig$\KB2633171\SP3QFE\ntoskrnl.exe [7] 2010-12-09 . 8A302601BE409E59260BB8ADE7CC6BC2 . 2194048 . . [5.1.2600.6055] . . c:\winnt\$hf_mig$\KB2393802\SP3QFE\ntoskrnl.exe [7] 2009-02-10 . 67DD50DFE7736999AE3C59699F9698B4 . 2190464 . . [5.1.2600.5755] . . c:\winnt\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480] "Gadu-Gadu 10"="d:\programy\gg\Gadu-Gadu 10\gg.exe" [2011-06-01 13349472] "uTorrent"="d:\programy\utorrent\uTorrent.exe" [2012-07-20 895376] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Dell Wireless Manager UI"="c:\winnt\system32\WLTRAY" [X] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752] "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648] "Adobe Reader Speed Launcher"="d:\programy\adobe\Reader\Reader_sl.exe" [2012-03-27 37296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712] "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\winnt\system32\CTFMON.EXE" [2008-04-14 15360] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nlsf"="move" [X] "tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-04 44544] . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^McAfee Security Scan Plus.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\McAfee Security Scan Plus.lnk backup=c:\winnt\pss\McAfee Security Scan Plus.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] 2006-06-29 10:13 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] 2012-06-07 17:17 17425072 ----a-r- c:\program files\Skype\Phone\Skype.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent] 2012-07-20 11:30 895376 ----a-w- d:\programy\utorrent\uTorrent.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "d:\\Programy\\utorrent\\uTorrent.exe"= "d:\\Programy\\gg\\Gadu-Gadu 10\\gg.exe"= . R2 MSSQL$InsERT;MSSQL$InsERT;c:\program files\Microsoft SQL Server\MSSQL$InsERT\Binn\sqlservr.exe -sInsERT --> c:\program files\Microsoft SQL Server\MSSQL$InsERT\Binn\sqlservr.exe -sInsERT [?] S2 0102741350577920mcinstcleanup;McAfee Application Installer Cleanup (0102741350577920);c:\docume~1\Andrzej\USTAWI~1\Temp\010274~1.EXE -cleanup -nolog --> c:\docume~1\Andrzej\USTAWI~1\Temp\010274~1.EXE -cleanup -nolog [?] S2 gupdate;Usługa Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2012-04-15 136176] S2 KMService;KMService;c:\winnt\system32\srvany.exe [2012-06-10 8192] S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-06-07 160944] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\winnt\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 250056] S3 gupdatem;Usługa Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2012-04-15 136176] S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-03 114144] S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000] S3 SQLAgent$InsERT;SQLAgent$InsERT;c:\program files\Microsoft SQL Server\MSSQL$InsERT\Binn\sqlagent.EXE -i InsERT --> c:\program files\Microsoft SQL Server\MSSQL$InsERT\Binn\sqlagent.EXE -i InsERT [?] S4 sptd;sptd;c:\winnt\system32\Drivers\sptd.sys --> c:\winnt\system32\Drivers\sptd.sys [?] . --- Inne Usługi/Sterowniki w Pamięci --- . *NewlyCreated* - BITS . Zawartość folderu 'Zaplanowane zadania' . 2012-10-18 c:\winnt\Tasks\Adobe Flash Player Updater.job - c:\winnt\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 07:06] . 2012-10-18 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-04-15 14:08] . 2012-10-18 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-04-15 14:08] . 2012-10-18 c:\winnt\Tasks\WGASetup.job - c:\winnt\system32\KB905474\wgasetup.exe [2012-04-02 20:18] . . ------- Skan uzupełniający ------- . uInternet Connection Wizard,ShellNext = hxxp://linktarget.ashampoo.com/linktarget/?target=regpopinstall&edition=eid=9384&x-thrdp=none IE: E&ksportuj do programu Microsoft Excel - d:\programy\ofice\Office14\EXCEL.EXE/3000 IE: Wyślij &do programu OneNote - d:\programy\ofice\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 192.168.1.254 FF - ProfilePath - c:\documents and settings\Andrzej\Dane aplikacji\Mozilla\Firefox\Profiles\5esuaogd.default\ FF - prefs.js: browser.search.defaulturl - FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - about:blank FF - ExtSQL: 2012-09-10 16:51; {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}; d:\programy\Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-10-18 23:01 Windows 5.1.2600 Dodatek Service Pack 3 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'winlogon.exe'(852) c:\winnt\system32\Ati2evxx.dll c:\winnt\System32\BCMLogon.dll . - - - - - - - > 'explorer.exe'(3204) c:\winnt\system32\WININET.dll c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf c:\winnt\system32\webcheck.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\winnt\system32\Ati2evxx.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\winnt\system32\Ati2evxx.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKeeper.exe c:\winnt\System32\wltrysvc.exe c:\winnt\System32\bcmwltry.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Microsoft SQL Server\MSSQL$InsERT\Binn\sqlservr.exe c:\program files\Dell\QuickSet\NICCONFIGSVC.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\winnt\system32\wdfmgr.exe c:\winnt\system32\wbem\wmiapsrv.exe c:\winnt\system32\wscntfy.exe c:\winnt\system32\WLTRAY.exe c:\program files\Apoint\Apntex.exe c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe c:\program files\Common Files\Java\Java Update\jucheck.exe . ************************************************************************** . Czas ukończenia: 2012-10-18 23:10:10 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2012-10-18 21:10 ComboFix2.txt 2012-10-18 16:57 . Przed: 6 324 977 664 bajtów wolnych Po: 6 313 750 528 bajtów wolnych . - - End Of File - - 3FB82E4DBC8C3055828132C0FE2B359C