ComboFix 10-06-29.04 - Administrator 2010-06-30 20:53:01.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.2045.1589 [GMT 2:00] Uruchomiony z: c:\documents and settings\Administrator\Pulpit\ComboFix.exe Użyto następujących komend :: c:\documents and settings\Administrator\Pulpit\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} FILE :: "c:\windows\Bmylua.exe" "c:\windows\Bmylub.exe" . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Bmylua.exe c:\windows\Bmylub.exe . ((((((((((((((((((((((((( Pliki utworzone od 2010-05-28 do 2010-06-30 ))))))))))))))))))))))))))))))) . 2010-06-30 18:30 . 2010-06-30 18:30 -------- d-----w- c:\windows\system32\xircom 2010-06-30 18:30 . 2010-06-30 18:30 -------- d-----w- c:\windows\system32\wbem\snmp 2010-06-30 18:30 . 2010-06-30 18:30 -------- d-----w- c:\windows\system32\oobe 2010-06-30 18:30 . 2010-06-30 18:30 -------- d-----w- c:\windows\srchasst 2010-06-30 18:30 . 2010-06-30 18:30 -------- d-----w- c:\windows\msagent 2010-06-30 18:30 . 2010-06-30 18:30 -------- d-----w- c:\program files\microsoft frontpage 2010-06-30 17:17 . 2010-06-30 17:17 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb 2010-06-30 15:56 . 2010-06-30 15:56 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Malwarebytes 2010-06-30 15:56 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-30 15:56 . 2010-06-30 15:56 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Malwarebytes 2010-06-30 15:56 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-28 11:53 . 2010-06-28 11:53 -------- d-----r- C:\Country 2010-06-26 20:05 . 2010-06-26 20:05 -------- d-----w- c:\windows\system32\wbem\Repository . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-29 20:31 . 2010-02-04 13:34 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Skype 2010-06-17 21:34 . 2010-02-04 14:04 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Gadu-Gadu 10 2010-06-17 11:00 . 2010-02-19 21:18 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\OpenFM 2010-06-17 08:24 . 2010-02-04 13:44 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\skypePM 2010-06-15 12:25 . 2001-10-26 18:15 67158 ----a-w- c:\windows\system32\perfc015.dat 2010-06-15 12:25 . 2001-10-26 18:15 437192 ----a-w- c:\windows\system32\perfh015.dat 2010-06-01 21:27 . 2010-02-04 14:07 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\ipla 2010-05-31 22:14 . 2010-02-04 14:07 -------- d-----w- c:\program files\ipla 2010-05-31 22:14 . 2010-02-04 14:07 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\ipla 2010-05-30 17:59 . 2010-05-30 17:58 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\U3 2010-05-14 21:08 . 2010-03-27 13:00 -------- d-----w- c:\program files\Google 2010-05-04 14:05 . 2010-05-04 14:05 42080 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Gadu-Gadu 10\_userdata\ggbho.2.dll 2010-04-07 16:00 . 2010-04-07 16:00 24064 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Thinstall\English Translator XT\10000004a00002i\winhlp32.exe . ------- Sigcheck ------- [-] 2007-07-28 . 0FB6743E937C7BB248B2530A5A77ABC6 . 360576 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys [-] 2007-07-13 . A29DE506E89C131C0AACC86047CB1373 . 3856896 . . [7.00.6000.20591] . . c:\windows\system32\mshtml.dll [-] 2007-07-26 . 316ACC3AC43FC855204CE5E775F66B91 . 2145792 . . [5.1.2600.3093] . . c:\windows\system32\ntoskrnl.exe [-] 2007-07-10 . CE594E18FE0D0AF804F1F3694921CE62 . 642560 . . [5.1.2600.3099] . . c:\windows\system32\user32.dll [-] 2007-07-13 . CE7193C5F7C01B19768E066087C1C919 . 814592 . . [7.00.6000.20583] . . c:\windows\system32\wininet.dll [-] 2007-07-13 . 32F67215C57DF2C401BF93B7EE65987F . 974848 . . [6.00.2900.2649] . . c:\windows\explorer.exe [-] 2007-07-27 . 89878732D5EB0C845AD2356081142F2A . 1548288 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll c:\windows\System32\wuauclt.exe ... - brak elementu !! c:\windows\System32\regsvc.dll ... - brak elementu !! . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-28 13529088] "nwiz"="nwiz.exe" [2008-03-28 1626112] "RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184] "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-16 634880] "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-16 102400] "BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2008-03-25 77824] "DeLay"="c:\windows\BisonCam\DeLay.exe" [2008-03-11 53248] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016] "NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664] "NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_2"="shell32" [X] "nltide_3"="advpack.dll" [2007-07-27 124928] c:\documents and settings\Administrator\Menu Start\Programy\Autostart\ Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ HotKeyDriver.lnk - c:\program files\HotKey_Driver\HotKeyDriver.exe [2010-2-3 3641344] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableStatusMessages"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMMyPictures"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoResolveTrack"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMMyPictures"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoSMHelp"= 1 (0x1) "NoResolveTrack"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPLA!] 2010-05-14 10:39 16201216 ----a-w- c:\program files\ipla\ipla.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "d:\\Programy\\Gadu Gadu\\Gadu-Gadu 10\\gg.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-03 108289] R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2010-02-04 288000] S2 gupdate;Usługa Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-27 136176] S3 EverestDriver;Lavalys EVEREST Kernel Driver;d:\programy\EVEREST Home Edition\kerneld.wnt [2005-08-18 7168] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . Zawartość folderu 'Zaplanowane zadania' 2010-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-27 13:00] 2010-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-27 13:00] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://start24.pl/ IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 IE: Funkcja Google Sidewiki - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-06-30 20:55 Windows 5.1.2600 Dodatek Service Pack 2 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\EverestDriver] "ImagePath"="\??\d:\programy\EVEREST Home Edition\kerneld.wnt" . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > 'winlogon.exe'(852) c:\windows\system32\cscui.dll . Czas ukończenia: 2010-06-30 20:55:51 ComboFix-quarantined-files.txt 2010-06-30 18:55 ComboFix2.txt 2010-06-30 18:32 Przed: 25 945 927 680 bajtów wolnych Po: 25 932 955 648 bajtów wolnych - - End Of File - - AC45EF03D7149413E4F58CE4F1D8BE21