ComboFix 14-04-09.02 - Ja 2014-04-11 15:16:12.8.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2047.1570 [GMT 2:00] Uruchomiony z: C:\ComboFix1.exe AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} . . ((((((((((((((((((((((((( Pliki utworzone od 2014-03-11 do 2014-04-11 ))))))))))))))))))))))))))))))) . . 2014-04-11 13:24 . 2014-04-11 13:24 -------- d-----w- c:\windows\LastGood 2014-04-09 17:10 . 2014-04-09 17:10 -------- d-----w- c:\windows\ERUNT 2014-04-09 17:10 . 2014-04-09 21:01 -------- d-----w- C:\SDFix 2014-04-09 17:09 . 2014-04-09 17:09 -------- d-----w- c:\documents and settings\Administrator.LAPEK\Dane aplikacji\Memeo 2014-03-12 21:22 . 2014-03-12 21:22 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\simplitec 2014-03-12 21:22 . 2013-08-23 11:19 120200 ----a-w- c:\windows\system32\DLLDEV32i.dll 2014-03-12 19:50 . 2014-04-07 14:50 5128584 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2014-04-07 15:46 . 2014-03-11 09:42 5195663 ------r- C:\ComboFix.exe 2014-03-11 15:02 . 2014-03-11 15:20 17037680 ----a-w- C:\IE8.exe 2014-03-11 14:43 . 2014-03-11 14:51 613720 ----a-w- C:\ie9.exe 2014-03-08 17:09 . 2014-03-08 17:14 15360 ----a-w- c:\windows\system32\ieencode.dll 2014-03-08 17:07 . 2008-04-15 12:00 443904 ----a-w- c:\windows\system32\html.iec 2014-02-21 18:51 . 2012-05-10 07:14 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2014-02-21 18:51 . 2011-07-19 11:35 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2014-02-06 13:43 . 2013-04-06 10:17 67824 ----a-w- c:\windows\system32\drivers\aswmonflt.sys 2014-02-06 03:38 . 2008-04-15 12:00 920064 ----a-w- c:\windows\system32\wininet.dll 2014-02-06 03:38 . 2008-04-15 12:00 920064 ----a-w- c:\windows\system32\wininet(3)(2).dll 2014-02-05 23:08 . 2008-04-15 12:00 6021120 ----a-w- c:\windows\system32\mshtml(2).dll 2014-02-05 23:08 . 2008-04-15 12:00 1216000 ----a-w- c:\windows\system32\urlmon(3)(2).dll 2014-01-25 13:43 . 2011-08-23 15:37 410784 ----a-w- c:\windows\system32\drivers\aswsp.sys 2014-01-25 13:43 . 2011-08-23 15:37 54832 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2014-01-25 13:43 . 2011-08-23 15:37 775952 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2014-01-25 13:43 . 2011-08-23 15:37 57672 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2014-01-25 13:43 . 2011-08-23 15:37 43152 ----a-w- c:\windows\avastSS.scr 2014-01-25 13:43 . 2011-08-23 15:37 270240 ----a-w- c:\windows\system32\aswBoot.exe 2014-01-17 17:11 . 2014-01-17 17:11 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2014-01-17 17:11 . 2014-01-17 17:11 145408 ----a-w- c:\windows\system32\javacpl.cpl . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . Błąd usług kryptograficznych !! . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2014-01-25 13:43 259464 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RSSReader"="e:\breinfo2\RSSReader.exe" [2007-01-27 3069440] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SDFix"="c:\sdfix\RunThis.bat" [2008-11-05 964661] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN] 2006-03-03 13:08 434176 ----a-w- c:\windows\system32\IfxWlxEN.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard] 2007-02-07 00:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\APSHook.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0sdnclean.exe . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FRYMXINS] c:\program files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl [X] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AvastUI.exe] 2014-01-25 13:43 3767096 ----a-w- c:\program files\AVAST Software\Avast\AvastUI.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync] 2012-11-05 14:27 89184 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CognizanceTS] 2003-12-22 16:12 17920 ----a-r- c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2008-08-20 08:05 166424 ----a-w- c:\windows\system32\hkcmd.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2008-08-20 08:06 141848 ----a-w- c:\windows\system32\igfxtray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Memeo AutoSync] 2011-05-13 00:25 144608 ----a-w- c:\program files\Memeo\AutoSync\MemeoLauncher2.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Memeo Backup Premium] 2011-05-13 00:07 136416 ----a-w- c:\program files\Memeo\AutoBackupPro\MemeoLauncher2.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] 2008-08-20 08:06 137752 ----a-w- c:\windows\system32\igfxpers.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTHOSTTR] 2007-01-09 13:52 145184 ----a-w- c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe] 2008-06-03 14:40 177456 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDFix] 2008-11-05 22:58 964661 ----a-w- c:\sdfix\RunThis.bat . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray] 2013-07-25 09:19 5624784 ----a-w- c:\program files\Spybot - Search & Destroy 2\SDTray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX] 2006-07-13 05:12 729088 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] 2007-01-05 14:36 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2013-07-02 08:16 254336 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] 2008-01-18 09:04 1028096 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "avast! Antivirus"=2 (0x2) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mstsc.exe"= "c:\\Program Files\\Seagate\\Seagate Dashboard\\HipServAgent\\HipServAgent.exe"= "c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"= "c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"= "c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"= "c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"= "c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 . R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2013-04-06 49944] R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2013-04-06 180248] R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-03-23 13560] R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2012-09-02 40560] R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-08-23 775952] R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [2011-08-23 410784] R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-10-01 37664] R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-11-29 36768] R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2008-04-15 14336] R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2008-04-15 14336] R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswmonflt.sys [2013-04-06 67824] R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackupPro\MemeoBackgroundService.exe [2011-05-13 25824] R2 msftesql$OPTIVUM_2005;SQL Server FullText Search (OPTIVUM_2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [2010-03-26 91992] R2 MSSQL$OPTIVUM_2005;SQL Server (OPTIVUM_2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408] R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [2011-06-02 14088] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2011-07-18 97280] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-10-21 36352] S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-10-20 3921880] S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-10-20 1042272] S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-10-20 171416] S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2011-07-18 193840] S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-08-23 13192] S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-08-23 8456] S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\e:\everest home edition\kerneld.wnt --> e:\everest home edition\kerneld.wnt [?] S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-08-19 43368] S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\Drivers\VMUVC.sys --> c:\windows\system32\Drivers\VMUVC.sys [?] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Cognizance REG_MULTI_SZ ASBroker ASChannel . Zawartość folderu 'Zaplanowane zadania' . 2014-04-11 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-10 18:51] . 2014-03-12 c:\windows\Tasks\avast! Emergency Update.job - c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-07-02 13:43] . 2014-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-12-25 20:50] . 2014-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-12-25 20:50] . 2013-10-30 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job - c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-10-20 08:49] . 2013-10-20 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job - c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-10-20 08:51] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.onet.pl/ uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000 IE: Wyślij &do programu OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105 IE: Wyślij do interfejsu &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm TCP: DhcpNameServer = 192.168.1.1 192.168.1.1 FF - ProfilePath - c:\documents and settings\Ja\Dane aplikacji\Mozilla\Firefox\Profiles\y507mi3y.default\ FF - prefs.js: browser.search.defaulturl - FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.onet.pl FF - prefs.js: keyword.URL - hxxps://www.google.com/search . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2014-04-11 16:35 Windows 5.1.2600 Dodatek Service Pack 3 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet004\Services\msftesql$OPTIVUM_2005] "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:OPTIVUM_2005" . [HKEY_LOCAL_MACHINE\System\ControlSet004\Services\EverestDriver] "ImagePath"="\??\e:\everest home edition\kerneld.wnt" . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'winlogon.exe'(864) c:\windows\system32\APSHook.dll c:\windows\system32\Ati2evxx.dll c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll c:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll c:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll c:\windows\system32\IfxWlxEN.dll c:\program files\Hewlett-Packard\IAM\Bin\ItDAC.dll c:\program files\Hewlett-Packard\IAM\Bin\ItReports.DLL c:\program files\Hewlett-Packard\IAM\Bin\BioAuth.dll c:\program files\Hewlett-Packard\IAM\Bin\ittal.dll c:\program files\Hewlett-Packard\IAM\Bin\ItVCClient.dll c:\program files\Hewlett-Packard\IAM\Bin\ASBIoAT.dll c:\program files\Hewlett-Packard\IAM\Bin\STEngine.dll c:\program files\Hewlett-Packard\IAM\Bin\ittalsnap.dll c:\windows\system32\igfxdev.dll . - - - - - - - > 'lsass.exe'(920) c:\windows\system32\APSHook.dll . Czas ukończenia: 2014-04-11 16:37:12 ComboFix-quarantined-files.txt 2014-04-11 14:37 ComboFix2.txt 2014-04-11 07:56 ComboFix3.txt 2014-03-12 19:25 . Przed: 10 755 665 920 bajtów wolnych Po: 10 739 163 136 bajtów wolnych . - - End Of File - - A05BF37A3DEFD1CD51B45539AF356F4B 32052574BF9F325AE309ABC7BFD04460