ComboFix 11-04-22.03 - GOSIA 2011-04-23 16:35:40.1.2 - x86 Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1250.48.1045.18.2010.1166 [GMT 2:00] Uruchomiony z: D:\ComboFix.exe SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe c:\program files\Java\jre6\bin\jusched.exe c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe c:\program files\Nowe Gadu-Gadu\gg.exe c:\program files\QuickTime\QTTask.exe c:\users\GOSIA\AppData\Roaming\.# c:\users\GOSIA\AppData\Roaming\.#\MBX@6F0@1F22920.### c:\users\GOSIA\AppData\Roaming\.#\MBX@6F0@1F22950.### c:\users\GOSIA\AppData\Roaming\.#\MBX@6F0@1F22980.### c:\users\GOSIA\AppData\Roaming\addon.dat c:\users\GOSIA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crss.exe c:\users\GOSIA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explore.exe c:\users\GOSIA\xoufoj.exe c:\windows\svchost.exe c:\windows\system32\GnUCdna.dll c:\windows\system32\update.txt . . ((((((((((((((((((((((((( Pliki utworzone od 2011-03-23 do 2011-04-23 ))))))))))))))))))))))))))))))) . . 2011-04-23 14:49 . 2011-04-23 14:49 -------- d-----w- c:\users\GOSIA\AppData\Local\temp 2011-04-23 14:49 . 2011-04-23 14:49 -------- d-----w- c:\users\Default\AppData\Local\temp 2011-04-23 13:55 . 2011-04-23 13:55 -------- d-----w- C:\SOPHTEMP 2011-04-23 13:25 . 2011-04-23 13:26 -------- d-----w- C:\totalcmd 2011-04-23 13:25 . 2011-04-23 13:25 -------- d-----w- c:\users\GOSIA\AppData\Roaming\GHISLER 2011-04-23 13:25 . 2010-12-17 05:56 545 ----a-w- c:\windows\UC.PIF 2011-04-23 13:25 . 2010-12-17 05:56 545 ----a-w- c:\windows\RAR.PIF 2011-04-23 13:25 . 2010-12-17 05:56 545 ----a-w- c:\windows\PKZIP.PIF 2011-04-23 13:25 . 2010-12-17 05:56 545 ----a-w- c:\windows\PKUNZIP.PIF 2011-04-23 13:25 . 2010-12-17 05:56 545 ----a-w- c:\windows\NOCLOSE.PIF 2011-04-23 13:25 . 2010-12-17 05:56 545 ----a-w- c:\windows\LHA.PIF 2011-04-23 13:25 . 2010-12-17 05:56 545 ----a-w- c:\windows\ARJ.PIF 2011-04-23 13:24 . 2011-04-23 14:04 -------- d-----w- c:\programdata\Kaspersky Lab 2011-04-23 13:23 . 2009-10-22 11:54 37392 ----a-w- c:\windows\system32\drivers\57349202.sys 2011-04-23 13:23 . 2009-10-09 21:31 311312 ----a-w- c:\windows\system32\drivers\5734920.sys 2011-04-23 13:23 . 2009-09-25 15:59 128016 ----a-w- c:\windows\system32\drivers\57349201.sys 2011-04-23 12:52 . 2011-04-23 12:52 -------- d-----w- C:\found.002 2011-04-19 19:28 . 2011-04-11 07:04 7071056 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D1438953-F459-4ACD-8A99-94EAC624599F}\mpengine.dll 2011-04-15 20:47 . 2011-02-16 13:24 292864 ----a-w- c:\windows\system32\atmfd.dll 2011-04-15 20:47 . 2011-02-16 15:29 34304 ----a-w- c:\windows\system32\atmlib.dll 2011-04-15 20:45 . 2011-02-22 12:52 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys 2011-04-15 20:45 . 2011-02-22 12:52 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys 2011-04-15 20:45 . 2011-02-22 12:51 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-04-15 20:45 . 2011-02-22 12:51 69632 ----a-w- c:\windows\system32\drivers\bowser.sys 2011-04-15 20:45 . 2011-03-10 16:12 1136640 ----a-w- c:\windows\system32\mfc42.dll 2011-04-15 20:45 . 2011-03-10 16:12 1161728 ----a-w- c:\windows\system32\mfc42u.dll 2011-04-15 20:43 . 2011-02-18 13:31 304640 ----a-w- c:\windows\system32\drivers\srv.sys 2011-04-15 20:43 . 2011-02-18 13:31 146432 ----a-w- c:\windows\system32\drivers\srv2.sys 2011-04-15 20:43 . 2011-02-18 13:31 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys 2011-04-15 20:40 . 2011-03-02 14:49 86528 ----a-w- c:\windows\system32\dnsrslvr.dll 2011-04-15 20:40 . 2009-05-04 10:11 25088 ----a-w- c:\windows\system32\dnscacheugc.exe 2011-04-15 20:39 . 2011-03-03 12:53 2040832 ----a-w- c:\windows\system32\win32k.sys 2011-04-15 20:37 . 2011-03-03 15:00 738816 ----a-w- c:\windows\system32\inetcomm.dll 2011-04-15 20:13 . 2011-02-17 06:23 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-04-15 20:00 . 2011-03-03 10:49 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat 2011-04-14 14:51 . 2011-04-14 14:51 -------- d-----w- c:\users\GOSIA\AppData\Local\MetaGeek,_LLC 2011-04-14 14:50 . 2011-04-14 14:50 -------- d-----w- c:\program files\MetaGeek 2011-04-09 08:20 . 2009-03-18 15:35 26176 ---ha-w- c:\windows\system32\hamachi.sys 2011-04-09 08:18 . 2011-04-23 14:47 -------- d-----w- c:\program files\LogMeIn Hamachi 2011-03-29 19:06 . 2008-06-20 10:10 65536 ----a-w- c:\windows\system32\Autodial2000.dll . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-02 16:11 . 2009-10-03 09:14 222080 ------w- c:\windows\system32\MpSigStub.exe . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{5a089bcd-c7f1-4064-8702-f58d8bd5d61f}"= "c:\program files\Sigma_Team\tbSig0.dll" [2007-12-10 1510424] . [HKEY_CLASSES_ROOT\clsid\{5a089bcd-c7f1-4064-8702-f58d8bd5d61f}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5a089bcd-c7f1-4064-8702-f58d8bd5d61f}] 2007-12-10 12:46 1510424 ----a-w- c:\program files\Sigma_Team\tbSig0.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{5a089bcd-c7f1-4064-8702-f58d8bd5d61f}"= "c:\program files\Sigma_Team\tbSig0.dll" [2007-12-10 1510424] . [HKEY_CLASSES_ROOT\clsid\{5a089bcd-c7f1-4064-8702-f58d8bd5d61f}] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{5A089BCD-C7F1-4064-8702-F58D8BD5D61F}"= "c:\program files\Sigma_Team\tbSig0.dll" [2007-12-10 1510424] . [HKEY_CLASSES_ROOT\clsid\{5a089bcd-c7f1-4064-8702-f58d8bd5d61f}] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "{9B71D88C-C598-4935-C5D1-43AA4DB90836}"="c:\users\GOSIA\AppData\Roaming\Tibia" [X] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25745704] "Steam"="c:\program files\Steam\steam.exe" [2010-11-17 1242448] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-09-04 200704] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-09 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-09 178712] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-09 154136] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "BigDog303"="c:\windows\VM303_STI.EXE" [2006-01-24 61440] "ORAHSSSessionManager"="c:\program files\Livebox\SessionManager\SessionManager.exe" [2008-06-10 107248] . c:\users\GOSIA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ IMVU.lnk - c:\users\GOSIA\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe [N/A] setup_9.0.0.722_09.04.2011_12-42.lnk - c:\users\GOSIA\Desktop\Virus Removal Tool\setup_9.0.0.722_09.04.2011_12-42\startup.exe [2011-4-23 72208] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "mixer"=wdmaud.drv . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc [x] R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x] R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-11-23 3608412] R3 PCAMp50;PCAMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\PCAMp50.sys [2006-11-28 28224] R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504] R3 XDva358;XDva358;c:\windows\system32\XDva358.sys [x] R3 XDva359;XDva359;c:\windows\system32\XDva359.sys [x] S0 57349202;57349202 Boot Guard Driver;c:\windows\system32\DRIVERS\57349202.sys [2009-10-22 37392] S1 57349201;57349201;c:\windows\system32\DRIVERS\57349201.sys [2009-09-25 128016] S1 setup_9.0.0.722_09.04.2011_12-42drv;setup_9.0.0.722_09.04.2011_12-42drv;c:\windows\system32\DRIVERS\5734920.sys [2009-10-09 311312] S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\aestsrv.exe [2008-12-15 81920] S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504] S2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2011-03-28 1242504] . . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc Akamai REG_MULTI_SZ Akamai . Zawartość folderu 'Zaplanowane zadania' . 2011-04-23 c:\windows\Tasks\User_Feed_Synchronization-{5E61DE65-B917-4F25-BECC-9E71A9C6EE9A}.job - c:\windows\system32\msfeedssync.exe [2011-04-15 04:43] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://google.pl/ FF - ProfilePath - c:\users\GOSIA\AppData\Roaming\Mozilla\Firefox\Profiles\4fu0vcfl.default\ FF - prefs.js: browser.startup.homepage - www.sfgame.pl FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781} . - - - - USUNIĘTO PUSTE WPISY - - - - . HKCU-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe HKCU-Run-Nowe Gadu-Gadu - c:\program files\Nowe Gadu-Gadu\gg.exe HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe HKLM-Run-IAAnotif - c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe HKLM-Run-PDVDDXSrv - c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe HKLM-Run-LogMeIn Hamachi Ui - c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-23 16:49 Windows 6.0.6001 Service Pack 1 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . HKLM\Software\Microsoft\Windows\CurrentVersion\Run BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????@?@?????????????????????????? . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- . [HKEY_USERS\S-1-5-21-2249310747-3679619916-2194120341-1000\Software\SecuROM\License information*] @Allowed: (Read) (RestrictedCode) "datasecu"=hex:4b,97,11,a9,e9,c4,bf,38,d1,28,09,0e,4f,b4,fa,7a,c7,7b,b4,de,93, e4,fb,ce,14,1c,42,b5,10,e9,01,8d,d6,90,f3,cd,fb,d4,79,96,76,90,7d,7d,85,a1,\ "rkeysecu"=hex:ea,a7,ef,8d,80,b3,a3,2a,c0,ea,5c,27,8f,6c,48,4e . Czas ukończenia: 2011-04-23 16:54:28 ComboFix-quarantined-files.txt 2011-04-23 14:54 . Przed: 132 412 579 840 bajtów wolnych Po: 135 671 832 576 bajtów wolnych . - - End Of File - - B18804970F7D98FF13E08492CFEA569C