ComboFix 13-03-14.02 - Bia 2013-03-14 18:05:56.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1250.48.1045.18.3070.1875 [GMT 1:00] Uruchomiony z: e:\downloads\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Dane aplikacji\TEMP c:\windows\dasetup.log c:\windows\pkunzip.pif c:\windows\pkzip.pif c:\windows\system32\DEBUG.log c:\windows\system32\ikhcore.log c:\windows\system32\PowerToyReadme.htm c:\windows\system32\SET40.tmp c:\windows\system32\SET4C.tmp N:\Music.lnk . . ((((((((((((((((((((((((( Pliki utworzone od 2013-02-14 do 2013-03-14 ))))))))))))))))))))))))))))))) . . 2013-03-10 18:53 . 2013-03-10 19:28 -------- d-----w- c:\documents and settings\Bia\Ustawienia lokalne\Dane aplikacji\Google 2013-03-10 18:53 . 2013-03-10 19:28 -------- d-----w- c:\program files\Google 2013-03-10 18:52 . 2013-03-10 18:55 -------- d-----w- c:\documents and settings\Bia\Ustawienia lokalne\Dane aplikacji\Deployment 2013-02-19 14:22 . 2002-12-05 13:10 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll 2013-02-19 14:22 . 2002-12-02 12:33 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll 2013-02-19 14:21 . 2013-02-19 14:21 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll 2013-02-19 14:21 . 2003-02-27 15:12 696320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll 2013-02-19 14:21 . 2002-12-02 14:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe 2013-02-19 14:21 . 2002-12-02 12:33 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll 2013-02-19 14:21 . 2013-02-19 14:21 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll 2013-02-14 20:53 . 2013-02-14 20:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-03-14 17:18 . 2012-08-18 13:47 227 ----a-w- c:\windows\system.tmp 2013-03-12 20:50 . 2012-08-17 21:01 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-03-12 20:50 . 2012-08-17 21:01 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-02-03 11:33 . 2012-08-18 13:47 676 ----a-w- c:\windows\win.tmp 2013-01-26 03:55 . 2008-04-15 12:00 552448 ----a-w- c:\windows\system32\oleaut32.dll 2013-01-07 07:27 . 2008-04-15 12:00 2150400 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-01-07 07:26 . 2008-04-14 21:59 2029056 ----a-w- c:\windows\system32\ntkrnlpa.exe 2013-01-04 10:10 . 2008-04-15 12:00 1867520 ----a-w- c:\windows\system32\win32k.sys 2013-01-02 06:49 . 2008-04-15 12:00 1295872 ----a-w- c:\windows\system32\quartz.dll 2013-01-02 06:49 . 2008-04-15 12:00 148992 ----a-w- c:\windows\system32\mpg2splt.ax 2012-12-26 20:21 . 2008-04-15 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2012-12-26 20:21 . 2008-04-15 12:00 43520 ------w- c:\windows\system32\licmgr10.dll 2012-12-26 20:21 . 2008-04-15 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-12-24 06:42 . 2008-04-15 12:00 385024 ------w- c:\windows\system32\html.iec 2012-12-16 12:23 . 2008-04-15 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [7] 2008-04-15 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys [7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys [-] 2008-04-13 22:10 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay1] @="{E68D0A50-3C40-4712-B90D-DCFA93FF2534}" [HKEY_CLASSES_ROOT\CLSID\{E68D0A50-3C40-4712-B90D-DCFA93FF2534}] 2012-06-05 09:41 1232896 ----a-w- c:\documents and settings\All Users\Dane aplikacji\GG\ggdrive\ggdrive-overlay.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay2] @="{E68D0A51-3C40-4712-B90D-DCFA93FF2534}" [HKEY_CLASSES_ROOT\CLSID\{E68D0A51-3C40-4712-B90D-DCFA93FF2534}] 2012-06-05 09:41 1232896 ----a-w- c:\documents and settings\All Users\Dane aplikacji\GG\ggdrive\ggdrive-overlay.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay3] @="{E68D0A52-3C40-4712-B90D-DCFA93FF2534}" [HKEY_CLASSES_ROOT\CLSID\{E68D0A52-3C40-4712-B90D-DCFA93FF2534}] 2012-06-05 09:41 1232896 ----a-w- c:\documents and settings\All Users\Dane aplikacji\GG\ggdrive\ggdrive-overlay.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay4] @="{E68D0A53-3C40-4712-B90D-DCFA93FF2534}" [HKEY_CLASSES_ROOT\CLSID\{E68D0A53-3C40-4712-B90D-DCFA93FF2534}] 2012-06-05 09:41 1232896 ----a-w- c:\documents and settings\All Users\Dane aplikacji\GG\ggdrive\ggdrive-overlay.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TBPanel"="c:\program files\Vtune\TBPanel.exe" [2008-09-05 2154496] "Spyware Doctor"="d:\spyware doctor\swdoctor.exe" [2012-10-23 2115728] "Facebook Update"="c:\documents and settings\Bia\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe" [2013-02-07 138096] "DAEMON Tools Lite"="d:\daemon tools lite\DTLite.exe" [2012-04-17 3671872] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "GEST"="=" [X] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-11 13574144] "nwiz"="nwiz.exe" [2008-09-11 1657376] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-11 86016] "RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600] "GrooveMonitor"="d:\microsoft office\Office12\GrooveMonitor.exe" [2009-02-26 30040] "Adobe Reader Speed Launcher"="d:\adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896] "NSU_agent"="c:\program files\Nokia\Nokia Software Updater\nsu3ui_agent.exe" [2012-02-28 190768] "NBAgent"="d:\nero\Nero 11\Nero BackItUp\NBAgent.exe" [2011-09-20 1493288] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360] . c:\documents and settings\All Users\Menu Start\Programy\Autostart\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] SolidWorks Pobieracz w tle.lnk - c:\program files\Common Files\Menedżer instalacji SolidWorks\BackgroundDownloading\sldBgDwld.exe [2013-1-30 1855560] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLinkedConnections"= 1 (0x1) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "d:\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "d:\\Microsoft Office\\Office12\\GROOVE.EXE"= "d:\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Dassault Systemes\\B18\\intel_a\\code\\bin\\orbixd.exe"= "c:\\Program Files\\Dassault Systemes\\B18\\intel_a\\code\\bin\\CNEXT.exe"= . R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2012-10-21 160640] R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2012-10-21 5248] R0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\drivers\NBVol.sys [2012-10-24 56496] R0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\drivers\NBVolUp.sys [2012-10-24 12464] R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?] R1 LUMDriver;LUMDriver;c:\windows\system32\drivers\LUMDriver.sys [2007-04-24 16688] R2 BBDemon;Backbone Service;c:\program files\Dassault Systemes\B18\intel_a\code\bin\CATSysDemon.exe [2007-05-04 36864] R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [2011-09-23 641832] S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;d:\solidworks corp\SolidWorks (2)\swScheduler\DTSCoordinatorService.exe [2011-09-27 89160] S3 Remote Solver for Flow Simulation 2012;Remote Solver for Flow Simulation 2012;d:\solidworks corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [2011-08-17 90168] S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808] . --- Inne Usługi/Sterowniki w Pamięci --- . *Deregistered* - mchInjDrv . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2011-03-04 10:29 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2013-03-10 19:28 1630672 ----a-w- c:\program files\Google\Chrome\Application\25.0.1364.160\Installer\chrmstp.exe . Zawartość folderu 'Zaplanowane zadania' . 2013-03-14 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-17 20:50] . 2013-03-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1659004503-2077806209-1801674531-1004Core.job - c:\documents and settings\Bia\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe [2013-02-07 16:12] . 2013-03-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1659004503-2077806209-1801674531-1004UA.job - c:\documents and settings\Bia\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe [2013-02-07 16:12] . 2013-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2013-03-10 18:53] . 2013-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2013-03-10 18:53] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.v9.com/?utm_source=b&utm_medium=idg2&from=idg2&uid=WDC_WD5000AAKS-00A7B2_WD-WCASY245188351883&ts=1353850009 mStart Page = hxxp://www.v9.com/?utm_source=b&utm_medium=idg2&from=idg2&uid=WDC_WD5000AAKS-00A7B2_WD-WCASY245188351883&ts=1353850009 uInternet Connection Wizard,ShellNext = iexplore IE: E&ksportuj do programu Microsoft Excel - d:\micros~1\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 10.5.50.1 FF - ProfilePath - c:\documents and settings\Bia\Dane aplikacji\Mozilla\Firefox\Profiles\t83drulz.default\ FF - prefs.js: browser.search.selectedEngine - Allegro FF - prefs.js: browser.startup.homepage - www.wp.pl FF - ExtSQL: 2013-01-29 08:04; rmfon@rmf.fm; c:\documents and settings\Bia\Dane aplikacji\Mozilla\Firefox\Profiles\t83drulz.default\extensions\rmfon@rmf.fm.xpi . . ------- Skojarzenia plików ------- . .scr=DWGTrueViewScriptFile . - - - - USUNIĘTO PUSTE WPISY - - - - . HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe HKCU-Run-Qmrcrs - c:\documents and settings\Bia\Dane aplikacji\Qmrcrs.exe HKU-Default-Run-Spyware Doctor - (no file) SafeBoot-WudfPf SafeBoot-WudfRd . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-03-14 18:17 Windows 5.1.2600 Dodatek Service Pack 3 NTFS . detected NTDLL code modification: ZwEnumerateValueKey, ZwQueryDirectoryFile . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . . c:\documents and settings\Bia\Dane aplikacji\Qmrcrs.exe 147264 bytes executable . skanowanie pomyślnie ukończone ukryte pliki: 1 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv] "ImagePath"="\??\c:\windows\TEMP\mc21.tmp" . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'winlogon.exe'(716) c:\windows\system32\WININET.dll d:\spyware doctor\Tools\klg.dat . - - - - - - - > 'lsass.exe'(780) d:\spyware doctor\Tools\klg.dat . - - - - - - - > 'csrss.exe'(692) c:\windows\system32\WININET.dll d:\spyware doctor\Tools\klg.dat . Czas ukończenia: 2013-03-14 18:23:37 ComboFix-quarantined-files.txt 2013-03-14 17:23 . Przed: 1 629 769 728 bajtów wolnych Po: 3 287 441 408 bajtów wolnych . WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect . - - End Of File - - 5CB9049F4AB720E0C202C6564D669EA0