ComboFix 10-11-30.09 - admin 2010-12-02 9:58.1.1 - x86 Uruchomiony z: c:\documents and settings\admin\Pulpit\ComboFix.exe AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Internet Explorer\SET4E90.tmp c:\program files\Internet Explorer\SET4E91.tmp c:\windows\system32\_000005_.tmp.dll c:\windows\system32\_000006_.tmp.dll c:\windows\system32\Cache c:\windows\system32\dbexpmysql.dll c:\windows\system32\midas.dll c:\windows\system32\winlogon.bak . ((((((((((((((((((((((((( Pliki utworzone od 2010-11-02 do 2010-12-02 ))))))))))))))))))))))))))))))) . 2010-11-23 15:08 . 2010-11-23 15:08 -------- d-----w- c:\documents and settings\admin\Dane aplikacji\IDMComp 2010-11-23 15:07 . 2010-11-23 15:07 -------- d-----w- c:\program files\IDM Computer Solutions 2010-11-06 10:37 . 2010-11-06 10:37 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-18 10:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-15 02:50 . 2010-09-09 07:18 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-15 00:29 . 2007-08-28 06:14 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-09-10 05:52 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:52 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:52 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-03-29 258048] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-12-01 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIModeChange"="Ati2mdxx.exe" [2002-05-21 28672] "AtiPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-11-07 294912] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080] "Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2009-10-12 614400] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Opera\\opera.exe"= "c:\\WINDOWS\\system32\\SUPDSvc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "12554:TCP"= 12554:TCP:BitComet 12554 TCP "12554:UDP"= 12554:UDP:BitComet 12554 UDP "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "5900:TCP"= 5900:TCP:vnc5900 "5800:TCP"= 5800:TCP:vnc5800 "5985:TCP"= 5985:TCP:*:Disabled:Zdalne zarządzanie systemem Windows R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-07-01 35168] R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-10-07 472280] R2 IBG_gds_db;InterBase 2007 Guardian gds_db;c:\borland\InterBase\bin\ibguard.exe -i "c:\borland\InterBase" -p gds_db --> c:\borland\InterBase\bin\ibguard.exe -i c:\borland\InterBase [?] R2 Iprip;Odbiornik RIP;c:\windows\System32\svchost.exe -k netsvcs [2004-08-04 14336] R3 IBS_gds_db;InterBase 2007 Server gds_db;c:\borland\InterBase\bin\ibserver.exe -i "c:\borland\InterBase" -p gds_db --> c:\borland\InterBase\bin\ibserver.exe -i c:\borland\InterBase [?] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] S3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys --> c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [?] S3 MonitorUsbDnld;SymbolUSBDnld;c:\windows\system32\drivers\Symbol_USB_Dwnld.sys [2003-12-02 36570] S3 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [2007-06-22 95592] S3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2007-07-20 10568] S3 P1171VID;Creative WebCam Notebook #2;c:\windows\system32\drivers\P1171Vid.sys [2007-04-25 91392] S3 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2008-08-05 16912] S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.4\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2008-08-05 16912] S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [2010-09-13 132464] S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2008-10-19 30464] S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2008-10-19 12672] S3 STETH;SpeedTouch Ethernet Adapter NT Driver;c:\windows\system32\drivers\steth.sys [2008-10-19 40320] S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-01 26624] S3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\drivers\tapoas.sys [2010-08-03 26112] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-08-04 14336] S3 wlcom51b;Compaq USB Driver;c:\windows\system32\drivers\wlcom51b.sys [2006-05-25 183296] S3 WPC300Nv2;Linksys Wireless-N Notebook Adapter WPC300Nv2 Service;c:\windows\system32\DRIVERS\WPC300Nv2.sys --> c:\windows\system32\DRIVERS\WPC300Nv2.sys [?] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504] S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\F-Secure\Anti-Virus\Win2K\FSfilter.sys --> c:\program files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [?] S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\F-Secure\Anti-Virus\Win2K\FSrec.sys --> c:\program files\F-Secure\Anti-Virus\Win2K\FSrec.sys [?] S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] WINRM REG_MULTI_SZ WINRM . . ------- Skan uzupełniający ------- . uStart Page = hxxp://interia.pl/ IE: Funkcja Google Sidewiki - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html TCP: {D383EF2C-1E7F-4883-A28E-4314262E22CB} = 80.244.128.1,80.244.128.2 TCP: {D38F2D70-6ABF-4D15-A156-293AE80947F6} = 80.244.128.1,80.244.128.2 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} - hxxps://www.bph.pl/pi/components/bph/SignActivX.cab . - - - - USUNIĘTO PUSTE WPISY - - - - Toolbar-Locked - (no file) WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) HKU-Default-RunOnce-IETI - c:\program files\Skype\Phone\IEPlugin\unins000.exe Notify-NavLogon - (no file) AddRemove-Compact Framework Build Helper for Delphi 2006 - c:\documents and settings\All Users\Application Data\{D78D23C7-4AD4-47F1-A5F0-56ED0EA9F9A4}\cfbuildhelper100.exe AddRemove-F-Secure DAAS - c:\program files\F-Secure\fsuninst.exe AddRemove-F-Secure Diagnostics - c:\program files\F-Secure\fsuninst.exe AddRemove-F-Secure Localization API - c:\program files\F-Secure\fsuninst.exe AddRemove-F-Secure Management Agent - c:\program files\F-Secure\fsuninst.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-12-02 10:18 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql] "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\msftesql.exe\" -s:MSSQL.3 -f:MSSQLSERVER" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$SQLEXPRESS] "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQLEXPRESS" . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > 'explorer.exe'(3048) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~3\wmpband.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\btncopy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\Common Files\Acronis\Schedule2\schedul2.exe c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\borland\InterBase\bin\ibguard.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\System32\tcpsvcs.exe c:\windows\System32\snmp.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe d:\program files\RealVNC\VNC4\WinVNC4.exe c:\program files\Windows Media Player\WMPNetwk.exe c:\windows\system32\SearchIndexer.exe c:\borland\InterBase\bin\ibserver.exe c:\windows\system32\wbem\wmiapsrv.exe c:\windows\system32\rundll32.exe c:\program files\Microsoft ActiveSync\wcescomm.exe c:\progra~1\MI3AA1~1\rapimgr.exe c:\windows\system32\SearchProtocolHost.exe c:\windows\system32\SearchFilterHost.exe . ************************************************************************** . Czas ukończenia: 2010-12-02 10:32:25 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2010-12-02 09:32 Przed: 30 032 027 648 bajtów wolnych Po: 30 227 955 712 bajtów wolnych WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin - - End Of File - - DEB8AD02C246E0F36C7B1E8414D33DA5