ComboFix 12-12-01.02 - z0r 2012-12-02  13:36:59.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1250.48.1045.18.3326.2877 [GMT 1:00]
Uruchomiony z: c:\documents and settings\z0r\Pulpit\ComboFix.exe
AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
(((((((((((((((((((((((((   Pliki utworzone od 2012-11-02 do 2012-12-02  )))))))))))))))))))))))))))))))
.
.
2012-12-01 01:04 . 2012-12-01 01:04	60416	----a-w-	c:\windows\ALCFDRTM.VER
2012-12-01 01:04 . 2012-12-01 01:04	60416	----a-w-	c:\windows\ALCFDRTM.EXE
2012-11-30 11:21 . 2012-11-30 11:21	--------	d-----w-	c:\program files\Common Files\Java
2012-11-30 11:20 . 2012-11-30 11:20	73728	----a-w-	c:\windows\system32\javacpl.cpl
2012-11-30 11:20 . 2012-11-30 11:20	477168	----a-w-	c:\windows\system32\npdeployJava1.dll
2012-11-30 11:20 . 2012-11-30 11:20	--------	d-----w-	c:\program files\Java
2012-11-30 11:16 . 2012-11-30 11:16	--------	d-----w-	c:\documents and settings\All Users\Dane aplikacji\McAfee
2012-11-29 15:18 . 2012-11-30 15:13	--------	d-----w-	c:\documents and settings\z0r\Dane aplikacji\XnView
2012-11-29 15:17 . 2012-11-29 15:17	--------	d-----w-	c:\program files\XnView
2012-11-29 14:54 . 2012-11-29 14:54	--------	d-----w-	c:\documents and settings\z0r\Dane aplikacji\Adobe Mini Bridge CS5
2012-11-29 14:54 . 2012-11-29 14:54	--------	d-----w-	c:\documents and settings\z0r\Dane aplikacji\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2012-11-29 12:16 . 2012-11-29 12:16	--------	d-----w-	c:\program files\ivo
2012-11-29 12:07 . 2012-12-01 18:27	--------	d-----w-	c:\program files\SubEdit-Player
2012-11-29 10:50 . 2012-11-29 10:50	--------	d-----w-	c:\documents and settings\z0r\fly
2012-11-28 18:36 . 2012-11-28 18:36	--------	d-----w-	c:\documents and settings\z0r\Ustawienia lokalne\Dane aplikacji\Quixel
2012-11-28 18:04 . 2012-11-28 18:04	--------	d-----w-	c:\documents and settings\z0r\Ustawienia lokalne\Dane aplikacji\IsolatedStorage
2012-11-28 14:45 . 2012-11-28 14:45	--------	d--h--w-	c:\windows\PIF
2012-11-28 14:44 . 2012-11-28 14:44	--------	d-----w-	c:\documents and settings\z0r\Dane aplikacji\OpenOffice.org
2012-11-28 14:37 . 2012-11-28 14:38	--------	d-----w-	c:\program files\OpenOffice.org 3
2012-11-28 14:37 . 2012-11-30 11:20	473072	----a-w-	c:\windows\system32\deployJava1.dll
2012-11-25 22:06 . 2012-11-25 23:29	--------	d-----w-	c:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2012-11-25 22:05 . 2009-01-25 11:14	15224	----a-w-	c:\windows\system32\sdnclean.exe
2012-11-25 22:05 . 2012-11-25 22:05	--------	d-----w-	c:\program files\Spybot - Search & Destroy 2
2012-11-25 21:12 . 2012-11-25 21:12	--------	d-----w-	c:\program files\WinPcap
2012-11-19 02:17 . 2012-11-25 19:22	--------	d-----w-	c:\program files\Teleport Pro
2012-11-11 22:26 . 2012-11-11 22:26	--------	d-----w-	c:\documents and settings\z0r\Ustawienia lokalne\Dane aplikacji\COMODO
2012-11-10 14:36 . 2012-11-17 10:40	--------	d-----w-	c:\documents and settings\z0r\Dane aplikacji\FontCreator
2012-11-04 11:58 . 2012-11-04 11:58	--------	d-----w-	c:\windows\ftpcache
2012-11-04 11:45 . 2012-11-04 11:45	477240	----a-w-	c:\windows\system32\drivers\sptd.sys
2012-11-04 11:45 . 2012-11-17 10:20	--------	d-----w-	c:\documents and settings\z0r\Dane aplikacji\DAEMON Tools Lite
2012-11-04 11:45 . 2012-11-04 11:58	--------	d-----w-	c:\documents and settings\All Users\Dane aplikacji\DAEMON Tools Lite
.
.
.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-17 08:05 . 2012-10-03 19:09	73656	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-17 08:05 . 2012-10-03 19:09	697272	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-11-07 23:38 . 2011-10-07 14:18	99080	----a-w-	c:\windows\system32\drivers\inspect.sys
2012-11-07 23:38 . 2011-10-07 14:18	32640	----a-w-	c:\windows\system32\drivers\cmdhlp.sys
2012-11-07 23:38 . 2011-10-07 14:18	497952	----a-w-	c:\windows\system32\drivers\cmdGuard.sys
2012-11-07 23:38 . 2011-10-07 14:18	18096	----a-w-	c:\windows\system32\drivers\cmderd.sys
2012-11-07 23:37 . 2011-10-07 14:17	34024	----a-w-	c:\windows\system32\cmdcsr.dll
2012-11-07 23:37 . 2011-10-07 14:17	301264	----a-w-	c:\windows\system32\guard32.dll
2012-10-22 20:00 . 2009-06-09 21:45	1875584	----a-w-	c:\windows\system32\win32k.sys
2012-10-03 10:49 . 2012-10-03 10:49	1060864	----a-w-	c:\windows\system32\mfc71.dll
2012-10-03 10:49 . 2012-10-03 10:49	348160	----a-w-	c:\windows\system32\msvcr71.dll
2012-10-03 10:49 . 2012-10-03 10:49	1700352	----a-w-	c:\windows\system32\gdiplus.dll
2012-10-02 18:04 . 2009-06-09 21:45	58368	----a-w-	c:\windows\system32\synceng.dll
2012-09-29 08:55 . 2012-09-29 08:55	2641408	----a-w-	c:\windows\system32\python33.dll
2012-09-29 08:54 . 2012-09-29 08:54	93696	----a-w-	c:\windows\py.exe
2012-09-29 08:54 . 2012-09-29 08:54	94208	----a-w-	c:\windows\pyw.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-06-09 . C8BDAD4065118558B3DC360FC96D81DB . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-11-22 968592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SoundMan"="SOUNDMAN.EXE" [2004-06-02 67584]
"AlcWzrd"="ALCWZRD.EXE" [2004-06-02 2533888]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-11-07 6756048]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2009-06-09 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SwitchBoard"=3 (0x3)
"SDWSCService"=2 (0x2)
"SDUpdateService"=2 (0x2)
"SDScannerService"=2 (0x2)
"rpcapd"=3 (0x3)
"MozillaMaintenance"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
.
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2011-10-07 18096]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-10-07 497952]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-10-07 32640]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
S3 PhTVTune;Philips WDM TVTuner;c:\windows\system32\drivers\PhTVTune.sys [2012-10-03 17632]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2012-10-10 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2012-10-10 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2012-10-10 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2012-10-10 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2012-10-10 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2012-10-10 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2012-10-10 115752]
S4 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [2012-11-25 1103392]
S4 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2012-11-25 1369624]
S4 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [2012-11-25 168384]
S4 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://pl.yahoo.com?fr=fp-comodo
TCP: Interfaces\{09EDA689-F7E1-48FD-ABAE-2264364E8EAC}: NameServer = 192.168.0.1,192.168.0.2
TCP: Interfaces\{8847D6D6-EEBF-4042-8B89-AF409267E032}: NameServer = 31.128.24.2 31.128.0.31
FF - ProfilePath - c:\documents and settings\z0r\Dane aplikacji\Mozilla\Firefox\Profiles\trkjszps.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Firesheep: firesheep@codebutler.com - %profile%\extensions\firesheep@codebutler.com
.
- - - - USUNIĘTO PUSTE WPISY - - - -
.
HKCU-Run-AdobeBridge - (no file)
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-02 13:40
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
skanowanie ukrytych procesów ...  
.
skanowanie ukrytych wpisów autostartu ... 
.
skanowanie ukrytych plików ...  
.
skanowanie pomyślnie ukończone
ukryte pliki: 0
.
**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
   bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
.
- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\guard32.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(612)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(3640)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.POL
c:\program files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll
c:\program files\Spybot - Search & Destroy 2\SDHelper.dll
c:\program files\Spybot - Search & Destroy 2\snlBase150.bpl
c:\program files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
c:\program files\Spybot - Search & Destroy 2\DEC150.bpl
c:\program files\Spybot - Search & Destroy 2\JSDialogPack150.bpl
c:\program files\Spybot - Search & Destroy 2\snlFileFormats150.bpl
c:\program files\Spybot - Search & Destroy 2\vclimg150.bpl
c:\program files\Spybot - Search & Destroy 2\VirtualTreesDXE150.bpl
c:\windows\system32\wpdshext.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
- - - - - - - > 'csrss.exe'(516)
c:\windows\system32\cmdcsr.dll
.
Czas ukończenia: 2012-12-02  13:43:03
ComboFix-quarantined-files.txt  2012-12-02 12:42
.
Przed: 18 485 915 648 bajtów wolnych
Po: 25 126 109 184 bajtów wolnych
.
WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 48B2F649D2FCE63F9DE8F1D0AC9C93E9