ComboFix 13-05-06.03 - Administrator 2013-05-06 22:38:07.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.1977.1390 [GMT 2:00] Uruchomiony z: c:\documents and settings\Administrator\Pulpit\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Administrator\Dane aplikacji\1566.exe c:\documents and settings\Administrator\Dane aplikacji\1567.exe c:\documents and settings\Administrator\Dane aplikacji\156E.exe c:\documents and settings\Administrator\Dane aplikacji\A92359174.exe c:\documents and settings\Administrator\Dane aplikacji\BB1.exe c:\documents and settings\Administrator\Dane aplikacji\F.exe c:\program files\Common Files\System\win32.exe c:\windows\system\lsass.dll c:\windows\system\lsass.exe c:\windows\system\svchost.dll c:\windows\system32\r2c c:\windows\system32\r2c\hid.exe c:\windows\system32\r2c\mirc.exe c:\windows\system32\r2c\mirc.ini c:\windows\system32\r2c\raw.txt c:\windows\system32\r2c\remote.ini c:\windows\system32\r2c\root.bat c:\windows\system32\r2c\root.reg c:\windows\system32\r2c\script.txt . . ((((((((((((((((((((((((( Pliki utworzone od 2013-04-06 do 2013-05-06 ))))))))))))))))))))))))))))))) . . 2013-05-06 20:31 . 2013-05-06 20:31 118784 ----a-w- c:\windows\system32\chg.exe 2013-05-05 20:37 . 2013-05-05 20:37 131072 --sh--r- c:\documents and settings\win32.exe 2013-05-05 17:53 . 2013-05-05 17:53 -------- d-----w- c:\program files\KAZAA 2013-05-05 17:53 . 2013-05-05 17:53 -------- d-----w- C:\My Downloads 2013-04-13 09:58 . 2008-04-14 20:50 26624 ----a-w- c:\documents and settings\LocalService\Dane aplikacji\Microsoft\UPnP Device Host\upnphost\udhisapi.dll . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-04-22 15:15 . 2012-05-21 22:41 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-04-22 15:15 . 2012-05-21 22:41 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-03-14 19:35 . 2013-03-14 19:30 2230144 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll 2013-03-14 19:30 . 2013-03-14 19:30 18368 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Microsoft\VSA\9.0\1033\ResourceCache.dll 2013-03-08 08:36 . 2013-03-08 08:37 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2013-03-08 08:36 . 2012-09-10 19:03 861088 ----a-w- c:\windows\system32\npdeployJava1.dll 2013-03-08 08:36 . 2012-09-10 19:03 782240 ----a-w- c:\windows\system32\deployJava1.dll 2013-03-08 08:36 . 2012-05-04 22:30 143872 ----a-w- c:\windows\system32\javacpl.cpl 2012-09-17 09:45 . 2012-09-17 09:45 0 ----a-w- c:\program files\Common Files\userInit.dll 2012-09-11 02:21 . 2012-09-11 02:21 27958 ----a-w- c:\program files\Common Files\logonInit.dll 2012-12-22 15:51 . 2012-12-22 15:51 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay1] @="{E68D0A50-3C40-4712-B90D-DCFA93FF2534}" [HKEY_CLASSES_ROOT\CLSID\{E68D0A50-3C40-4712-B90D-DCFA93FF2534}] 2012-06-05 09:41 1232896 ----a-w- c:\documents and settings\All Users\Dane aplikacji\GG\ggdrive\ggdrive-overlay.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay2] @="{E68D0A51-3C40-4712-B90D-DCFA93FF2534}" [HKEY_CLASSES_ROOT\CLSID\{E68D0A51-3C40-4712-B90D-DCFA93FF2534}] 2012-06-05 09:41 1232896 ----a-w- c:\documents and settings\All Users\Dane aplikacji\GG\ggdrive\ggdrive-overlay.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay3] @="{E68D0A52-3C40-4712-B90D-DCFA93FF2534}" [HKEY_CLASSES_ROOT\CLSID\{E68D0A52-3C40-4712-B90D-DCFA93FF2534}] 2012-06-05 09:41 1232896 ----a-w- c:\documents and settings\All Users\Dane aplikacji\GG\ggdrive\ggdrive-overlay.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay4] @="{E68D0A53-3C40-4712-B90D-DCFA93FF2534}" [HKEY_CLASSES_ROOT\CLSID\{E68D0A53-3C40-4712-B90D-DCFA93FF2534}] 2012-06-05 09:41 1232896 ----a-w- c:\documents and settings\All Users\Dane aplikacji\GG\ggdrive\ggdrive-overlay.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="c:\program files\Steam\Steam.exe" [2013-02-20 1597864] "Akamai NetSession Interface"="c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\Akamai\netsession_win.exe" [2013-01-26 4480768] "Spotify Web Helper"="c:\documents and settings\Administrator\Dane aplikacji\Spotify\Data\SpotifyWebHelper.exe" [2013-05-05 1105408] "Spotify"="c:\documents and settings\Administrator\Dane aplikacji\Spotify\Spotify.exe" [2013-05-05 4573184] "TorrentStream"="c:\documents and settings\Administrator\Dane aplikacji\TorrentStream\engine\tsengine.exe" [2013-03-06 26744] "ALLUpdate"="c:\program files\ALLPlayer\ALLUpdate.exe" [2013-01-23 2995712] "IniciarProgramas"="c:\windows\system\run.bat" [2012-02-29 241] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-01 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-01 170520] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-01 141848] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480] "picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-07-19 773144] "PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488] "accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-11-27 298536] "SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824] "Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856] "Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448] "ACUMon"="c:\program files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" [2004-08-09 364544] "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352] "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "ADSK DLMSession"="c:\program files\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe" [2012-07-23 1632216] "MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2008-04-14 208896] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-11 59280] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . c:\documents and settings\Administrator\Menu Start\Programy\Autostart\ OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592] . c:\documents and settings\All Users\Menu Start\Programy\Autostart\ LOLRecorder.lnk - c:\program files\LOLReplay\LOLRecorder.exe [2012-10-31 522752] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc] 2007-11-27 15:41 109568 ----a-w- c:\windows\system32\ackpbsc.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock] 2007-11-27 15:40 286720 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\SMINST\\Scheduler.exe"= "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Steam\\steamapps\\furyesl\\counter-strike\\hl.exe"= "\\??\\c:\\WINDOWS\\system32\\winlogon.exe"= "c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"= "c:\\Program Files\\Steam\\steamapps\\malykracy1\\counter-strike\\hl.exe"= "c:\\Program Files\\Veetle\\Player\\VeetleNet.exe"= "c:\\Documents and Settings\\Administrator\\Dane aplikacji\\Spotify\\spotify.exe"= "c:\\Documents and Settings\\Administrator\\Dane aplikacji\\uTorrent\\uTorrent.exe"= "c:\\Documents and Settings\\Administrator\\Dane aplikacji\\TorrentStream\\engine\\tsengine.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Documents and Settings\\Administrator\\Moje dokumenty\\Downloads\\uTorrent.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "56604:TCP"= 56604:TCP:Pando Media Booster "56604:UDP"= 56604:UDP:Pando Media Booster "50248:TCP"= 50248:TCP:Autodesk Content Service . R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2012-05-05 24064] R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2012-10-17 187736] R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2012-10-17 94040] R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [2007-11-27 185896] R2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [2012-01-31 19232] R2 KMService;KMService;c:\windows\system32\srvany.exe [2012-11-20 8192] R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2012-05-05 576024] R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2012-05-05 2054680] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2012-05-05 44800] R3 PCX500;Cisco Wireless LAN Adapters Driver;c:\windows\system32\drivers\pcx500.sys [2012-05-05 118272] R3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2012-09-13 115544] S3 AndNetDiag;LGE AndroidNet USB Serial Port;c:\windows\system32\drivers\lgandnetdiag.sys [2013-01-28 23040] S3 ANDNetModem;LGE AndroidNet USB Modem;c:\windows\system32\drivers\lgandnetmodem.sys [2013-01-28 27776] S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2012-05-05 144480] S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2012-11-28 207616] S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2012-09-13 104280] S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [2009-12-08 48128] . Zawartość folderu 'Zaplanowane zadania' . 2013-05-06 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-21 15:15] . 2013-05-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3094104702-925323197-3564856798-500Core.job - c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2012-05-04 15:49] . 2013-05-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3094104702-925323197-3564856798-500UA.job - c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2012-05-04 15:49] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.gazeta.pl/0,0.html?p=138 mStart Page = hxxp://www.22apple.com/newtab?utm_source=b&ch=bnl&uid=ST3160815AS_6RX7VYXG®=1363115172 uInternet Settings,ProxyOverride = IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000 IE: Wyślij &do programu OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 62.179.1.63 62.179.1.62 FF - ProfilePath - c:\documents and settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\7uhjq6z7.default\ FF - prefs.js: browser.search.defaulturl - FF - prefs.js: browser.search.selectedEngine - 22apple FF - prefs.js: browser.startup.homepage - hxxp://www.gazeta.pl/0,0.html?p=138 FF - prefs.js: keyword.URL - hxxp://startsear.ch/?src=sp&aff=51&cf=55328c71-4206-11e2-a4b5-00064f859d28&q= FF - ExtSQL: 2013-03-12 20:12; magicplayer@torrentstream.org; c:\documents and settings\Administrator\Dane aplikacji\TorrentStream\extensions\firefox\magicplayer@torrentstream.org FF - ExtSQL: 2013-04-03 21:39; ts-ei@vcheekfzz.com; c:\documents and settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\7uhjq6z7.default\extensions\ts-ei@vcheekfzz.com FF - ExtSQL: 2013-04-06 20:22; IplextoALL@ALLPlayer.org; c:\documents and settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\7uhjq6z7.default\extensions\IplextoALL@ALLPlayer.org . - - - - USUNIĘTO PUSTE WPISY - - - - . HKCU-Run-A92359174 - c:\documents and settings\Administrator\Dane aplikacji\A92359174.exe HKCU-Run-Kflklu - c:\documents and settings\Administrator\Dane aplikacji\Kflklu.exe HKLM-Run-A92359174 - c:\documents and settings\Administrator\Dane aplikacji\A92359174.exe HKLM-Run-UpdateShield - c:\windows\System32\r2c\mIRC.exe HKLM-RunOnce-A92359174 - c:\documents and settings\Administrator\Dane aplikacji\A92359174.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-05-06 22:46 Windows 5.1.2600 Dodatek Service Pack 3 NTFS . detected NTDLL code modification: ZwEnumerateValueKey, ZwQueryDirectoryFile . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . . c:\documents and settings\Administrator\Dane aplikacji\Kflklu.exe 139264 bytes executable . skanowanie pomyślnie ukończone ukryte pliki: 1 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher] "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService" . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- . [HKEY_USERS\S-1-5-21-3094104702-925323197-3564856798-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e7,a1,ee,56,9e,f4,5a,4d,a5,37,8f,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,61,c1,db,7b,05,9c,7e,49,bf,6c,30,\ "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e7,a1,ee,56,9e,f4,5a,4d,a5,37,8f,\ . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'winlogon.exe'(712) c:\windows\system32\ackpbsc.dll c:\windows\system32\aclog.dll c:\windows\system32\accrypto.dll c:\windows\system32\ACLIBEAY.dll c:\windows\system32\acevtsub.dll c:\windows\system32\asphat32.dll c:\windows\system32\acerrmes.dll c:\windows\system32\aspcom.dll c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll c:\windows\system32\msi.dll c:\windows\system32\cswgina.dll c:\program files\ActivIdentity\ActivClient\acunlock.dll c:\windows\system32\aipingui.dll c:\windows\system32\aicext.dll c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll . Czas ukończenia: 2013-05-06 22:49:24 ComboFix-quarantined-files.txt 2013-05-06 20:49 ComboFix2.txt 2013-05-05 20:18 . Przed: 69 035 130 880 bajtów wolnych Po: 69 040 115 712 bajtów wolnych . - - End Of File - - 384329F0142A79A643AB3611317FCAD6