ComboFix 10-06-29.04 - Administrator 2010-06-30 20:27:20.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.2045.1587 [GMT 2:00] Uruchomiony z: c:\documents and settings\Administrator\Pulpit\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system\BisonC07.dll c:\windows\system32\sshnas21.dll c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SSHNAS -------\Service_SSHNAS ((((((((((((((((((((((((( Pliki utworzone od 2010-05-28 do 2010-06-30 ))))))))))))))))))))))))))))))) . 2010-06-30 18:30 . 2010-06-30 18:30 -------- d-----w- c:\windows\system32\xircom 2010-06-30 18:30 . 2010-06-30 18:30 -------- d-----w- c:\windows\system32\wbem\snmp 2010-06-30 18:30 . 2010-06-30 18:30 -------- d-----w- c:\windows\system32\oobe 2010-06-30 18:30 . 2010-06-30 18:30 -------- d-----w- c:\windows\srchasst 2010-06-30 18:30 . 2010-06-30 18:30 -------- d-----w- c:\windows\msagent 2010-06-30 18:30 . 2010-06-30 18:30 -------- d-----w- c:\program files\microsoft frontpage 2010-06-30 17:17 . 2010-06-30 17:17 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb 2010-06-30 16:18 . 2010-06-30 16:18 203264 ----a-w- c:\windows\Bmylub.exe 2010-06-30 15:56 . 2010-06-30 15:56 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Malwarebytes 2010-06-30 15:56 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-30 15:56 . 2010-06-30 15:56 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Malwarebytes 2010-06-30 15:56 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-30 15:52 . 2010-06-30 15:52 203264 ----a-w- c:\windows\Bmylua.exe 2010-06-28 11:53 . 2010-06-28 11:53 -------- d-----r- C:\Country 2010-06-26 20:05 . 2010-06-26 20:05 -------- d-----w- c:\windows\system32\wbem\Repository . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-29 20:31 . 2010-02-04 13:34 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Skype 2010-06-17 21:34 . 2010-02-04 14:04 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Gadu-Gadu 10 2010-06-17 11:00 . 2010-02-19 21:18 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\OpenFM 2010-06-17 08:24 . 2010-02-04 13:44 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\skypePM 2010-06-15 12:25 . 2001-10-26 18:15 67158 ----a-w- c:\windows\system32\perfc015.dat 2010-06-15 12:25 . 2001-10-26 18:15 437192 ----a-w- c:\windows\system32\perfh015.dat 2010-06-01 21:27 . 2010-02-04 14:07 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\ipla 2010-05-31 22:14 . 2010-02-04 14:07 -------- d-----w- c:\program files\ipla 2010-05-31 22:14 . 2010-02-04 14:07 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\ipla 2010-05-30 17:59 . 2010-05-30 17:58 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\U3 2010-05-14 21:08 . 2010-03-27 13:00 -------- d-----w- c:\program files\Google 2010-05-04 14:05 . 2010-05-04 14:05 42080 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Gadu-Gadu 10\_userdata\ggbho.2.dll 2010-04-07 16:00 . 2010-04-07 16:00 24064 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Thinstall\English Translator XT\10000004a00002i\winhlp32.exe . ------- Sigcheck ------- [-] 2007-07-28 . 0FB6743E937C7BB248B2530A5A77ABC6 . 360576 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys [-] 2007-07-13 . A29DE506E89C131C0AACC86047CB1373 . 3856896 . . [7.00.6000.20591] . . c:\windows\system32\mshtml.dll [-] 2007-07-26 . 316ACC3AC43FC855204CE5E775F66B91 . 2145792 . . [5.1.2600.3093] . . c:\windows\system32\ntoskrnl.exe [-] 2007-07-10 . CE594E18FE0D0AF804F1F3694921CE62 . 642560 . . [5.1.2600.3099] . . c:\windows\system32\user32.dll [-] 2007-07-13 . CE7193C5F7C01B19768E066087C1C919 . 814592 . . [7.00.6000.20583] . . c:\windows\system32\wininet.dll [-] 2007-07-13 . 32F67215C57DF2C401BF93B7EE65987F . 974848 . . [6.00.2900.2649] . . c:\windows\explorer.exe [-] 2007-07-27 . 89878732D5EB0C845AD2356081142F2A . 1548288 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll c:\windows\System32\wuauclt.exe ... - brak elementu !! c:\windows\System32\regsvc.dll ... - brak elementu !! . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-28 13529088] "nwiz"="nwiz.exe" [2008-03-28 1626112] "RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184] "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-16 634880] "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-16 102400] "BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2008-03-25 77824] "DeLay"="c:\windows\BisonCam\DeLay.exe" [2008-03-11 53248] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016] "NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664] "NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_2"="shell32" [X] "nltide_3"="advpack.dll" [2007-07-27 124928] c:\documents and settings\Administrator\Menu Start\Programy\Autostart\ Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ HotKeyDriver.lnk - c:\program files\HotKey_Driver\HotKeyDriver.exe [2010-2-3 3641344] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableStatusMessages"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMMyPictures"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoResolveTrack"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMMyPictures"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoSMHelp"= 1 (0x1) "NoResolveTrack"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPLA!] 2010-05-14 10:39 16201216 ----a-w- c:\program files\ipla\ipla.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "d:\\Programy\\Gadu Gadu\\Gadu-Gadu 10\\gg.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-03 108289] R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2010-02-04 288000] S2 gupdate;Usługa Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-27 136176] S3 EverestDriver;Lavalys EVEREST Kernel Driver;d:\programy\EVEREST Home Edition\kerneld.wnt [2005-08-18 7168] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . Zawartość folderu 'Zaplanowane zadania' 2010-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-27 13:00] 2010-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-27 13:00] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://start24.pl/ IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 IE: Funkcja Google Sidewiki - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html . - - - - USUNIĘTO PUSTE WPISY - - - - HKCU-Run-CenturyMedia - c:\country\Life\rox.exe MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe ************************************************************************** skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\EverestDriver] "ImagePath"="\??\d:\programy\EVEREST Home Edition\kerneld.wnt" . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > 'winlogon.exe'(852) c:\windows\system32\cscui.dll - - - - - - - > 'explorer.exe'(2284) c:\windows\system32\SHDOCVW.dll c:\windows\system32\shimgvw.dll c:\windows\system32\msls31.dll c:\windows\system32\msi.dll c:\windows\system32\SETUPAPI.dll c:\windows\system32\ntshrui.dll c:\windows\system32\wpdshserviceobj.dll c:\windows\system32\portabledevicetypes.dll c:\windows\system32\portabledeviceapi.dll c:\windows\system32\NETSHELL.dll c:\windows\system32\credui.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\RTHDCPL.EXE c:\windows\system32\rundll32.exe c:\program files\Synaptics\SynTP\SynTPEnh.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\IoctlSvc.exe c:\program files\Common Files\Nero\Lib\NMIndexingService.exe c:\windows\system32\wbem\unsecapp.exe . ************************************************************************** . Czas ukończenia: 2010-06-30 20:32:32 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2010-06-30 18:32 Przed: 25 983 959 040 bajtów wolnych Po: 25 937 735 680 bajtów wolnych WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - 31CA7C9796A4ACB3E8ABF0CF18ADDCB9