ComboFix 10-07-24.06 - Krzysztof 2010-07-27 0:19.4.1 - FAT32x86 Microsoft Windows XP Home Edition 5.1.2600.3.1250.48.1045.18.2559.1772 [GMT 2:00] Uruchomiony z: c:\documents and settings\Krzysztof\Pulpit\CFx.exe AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} * Rezydentny antywirus jest aktywny . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Krzysztof\Dane aplikacji\inst.exe . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_mpr_freader ((((((((((((((((((((((((( Pliki utworzone od 2010-06-26 do 2010-07-26 ))))))))))))))))))))))))))))))) . 2010-07-26 21:23 . 2010-07-26 21:23 -------- d-----w- c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\ArcSoft 2010-07-26 21:23 . 2010-07-26 21:23 -------- d-----w- c:\documents and settings\admin\Dane aplikacji\ArcSoft 2010-07-26 21:21 . 2010-07-26 21:21 -------- d-sh--w- c:\documents and settings\admin\IETldCache 2010-07-25 19:38 . 2010-07-25 19:38 -------- d-----w- c:\documents and settings\LocalService\Dane aplikacji\SACore 2010-07-25 19:02 . 2010-07-25 19:02 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\SiteAdvisor 2010-07-25 19:00 . 2010-02-17 14:52 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2010-07-25 19:00 . 2010-02-17 14:52 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys 2010-07-25 19:00 . 2010-02-17 14:52 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2010-07-25 19:00 . 2010-07-15 13:18 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys 2010-07-25 18:59 . 2010-07-25 18:59 -------- d-----w- c:\program files\McAfee.com 2010-07-25 18:59 . 2010-07-25 18:59 -------- d-----w- c:\program files\Common Files\McAfee 2010-07-25 18:59 . 2010-07-25 18:59 -------- d-----w- c:\program files\McAfee 2010-07-25 18:51 . 2010-02-17 14:52 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys 2010-07-18 12:44 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe 2010-07-09 20:19 . 2010-07-09 20:19 -------- d-----w- c:\documents and settings\kuba\Dane aplikacji\HP . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-25 19:01 . 2006-01-02 05:36 34360 ----a-w- c:\documents and settings\Krzysztof\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2010-07-18 18:34 . 2010-06-14 20:09 1 ----a-w- c:\documents and settings\Arleta\Dane aplikacji\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-06-30 20:34 . 2004-08-04 10:00 89218 ----a-w- c:\windows\system32\perfc015.dat 2010-06-30 20:34 . 2004-08-04 10:00 500872 ----a-w- c:\windows\system32\perfh015.dat 2010-06-30 19:45 . 2006-02-24 17:14 34360 ----a-w- c:\documents and settings\Arleta\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2010-06-14 20:09 . 2010-06-14 20:09 -------- d-----w- c:\documents and settings\Arleta\Dane aplikacji\OpenOffice.org 2010-06-14 20:07 . 2010-06-14 20:07 1 ----a-w- c:\documents and settings\Krzysztof\Dane aplikacji\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-06-14 20:07 . 2010-06-14 20:07 -------- d-----w- c:\documents and settings\Krzysztof\Dane aplikacji\OpenOffice.org 2010-06-14 20:03 . 2010-06-14 20:03 -------- d-----w- c:\program files\JRE 2010-06-14 20:03 . 2010-06-14 20:03 -------- d-----w- c:\program files\OpenOffice.org 3 2010-06-14 20:00 . 2010-06-14 20:00 -------- d-----w- c:\program files\Common Files\Java 2010-06-14 20:00 . 2010-06-14 20:00 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-06-14 14:31 . 2005-12-27 18:09 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe 2010-05-31 18:32 . 2010-05-31 18:32 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2010-05-21 12:14 . 2009-10-05 11:40 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-11 08:58 . 2010-03-04 11:38 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-05-06 19:35 . 2010-05-06 19:35 152576 ----a-w- c:\documents and settings\Krzysztof\Dane aplikacji\Sun\Java\jre1.6.0_17\lzma.dll 2010-05-06 19:33 . 2010-05-06 19:33 79488 ----a-w- c:\documents and settings\Krzysztof\Dane aplikacji\Sun\Java\jre1.6.0_17\gtapi.dll 2010-05-06 10:35 . 2004-08-04 10:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-05-02 08:10 . 2004-08-04 10:00 1851520 ----a-w- c:\windows\system32\win32k.sys 2010-04-29 13:39 . 2008-09-25 15:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 13:39 . 2008-09-25 15:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2005-07-05 14:47 . 2006-03-05 16:19 777 ----a-w- c:\program files\trial_setup.ini 2005-07-05 14:47 . 2006-03-05 16:19 5133312 ----a-w- c:\program files\trial_setup.msi 2005-07-05 14:47 . 2006-03-05 16:19 40448 ----a-w- c:\program files\trial_setup.exe 2005-03-31 20:17 . 2005-12-27 23:27 40960 ----a-w- c:\program files\Uninstall_CDS.exe . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}] 2010-05-12 07:11 2515552 ----a-w- c:\program files\Freecorder\tbFre1.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre1.dll" [2010-05-12 2515552] [HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFre1.dll" [2010-05-12 2515552] [HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PowerBar"="c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" [2004-04-21 86016] "ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\\SmartDoctor.exe" [2004-12-16 987136] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2004-12-22 77824] "NVRaidService"="c:\windows\system32\nvraidservice.exe" [2004-06-11 83968] "RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-10 524632] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-12-15 5513216] "nwiz"="nwiz.exe" [2004-12-15 1490944] "NvMediaCenter"="NvMCTray.dll" [2004-12-15 86016] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016] "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-10 1218008] "McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-07 1176808] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] c:\documents and settings\Arleta\Menu Start\Programy\Autostart\ OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ Service Manager.lnk - c:\mssql7\Binn\sqlmangr.exe [2006-2-2 110592] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1\0lsdelete [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\System32\\ftp.exe"= "c:\\totalcmd\\TOTALCMD.EXE"= "c:\\WINDOWS\\System32\\MMC.EXE"= "c:\\Program Files\\Tlen.pl\\tlen.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Opera\\Opera.exe"= "c:\\Program Files\\3Com\\3CDaemon\\3CDaemon.EXE"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqpse.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqsudi.exe"= "c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqpsapp.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 ELOADER;General Purpose USB Driver (adildr.sys);c:\windows\system32\Drivers\adildr.sys [2007-02-07 56088] R3 h647906;DragonRise H647906 AMD64 Driver;c:\windows\system32\drivers\h647906.sys [x] R3 h648101;DragonRise H648101 AMD64 Driver;c:\windows\system32\drivers\h648101.sys [x] R3 h648103;DragonRise H648103 AMD64 Driver;c:\windows\system32\drivers\h648103.sys [x] R3 hid7906;hid7906;c:\windows\system32\drivers\hid7906.sys [2008-08-08 41272] R3 hid8101;hid8101;c:\windows\system32\drivers\hid8101.sys [2008-08-08 43192] R3 hid8103;hid8103;c:\windows\system32\drivers\hid8103.sys [2008-08-08 40856] R3 RTCore;RTCore;e:\kfilipek\Desktop\rmma345bin\RTCore.sys [x] R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2006-12-03 639224] S0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-03-12 39472] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-05-04 64160] S0 PQV2i;PQV2i; [x] S1 PQIMount;PQIMount; [x] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-10 1029456] S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-23 203280] S3 PhTVTune;TOP10 TV3 TV Tuner card;c:\windows\system32\DRIVERS\PhTVTune.sys [2004-03-28 24176] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Zawartość folderu 'Zaplanowane zadania' 2010-07-26 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20] 2010-07-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 21:08] 2010-07-25 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-07-25 10:22] 2010-07-25 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-07-25 10:22] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.gazetawyborcza.pl/0,0.html?p=4 DPF: {81E688E8-36A4-4FEF-B70B-8B0A1C5C1308} - hxxp://eplytki.pl/launcher.cab FF - ProfilePath - c:\documents and settings\Krzysztof\Dane aplikacji\Mozilla\Firefox\Profiles\lnbkopll.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava11.dll FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava12.dll FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava13.dll FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava32.dll FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJPI140_03.dll FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPOJI610.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - USUNIĘTO PUSTE WPISY - - - - WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) Notify-AtiExtEvent - (no file) AddRemove-HijackThis - G:\HijackThis.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-07-27 00:37 Windows 5.1.2600 Dodatek Service Pack 3 FAT NTAPI skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > 'lsass.exe'(1236) c:\windows\system32\relog_ap.dll - - - - - - - > 'explorer.exe'(2540) c:\windows\system32\WININET.dll c:\windows\system32\nview.dll c:\windows\system32\NVWRSPL.DLL c:\program files\McAfee\SiteAdvisor\saHook.dll c:\windows\system32\nvwddi.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Microsoft Virtual PC\VPCShExH.DLL c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Avi2Dvd\Programs\Filters\Haali media splitter\mmfinfo.dll c:\program files\Avi2Dvd\Programs\Filters\Haali media splitter\mkunicode.dll c:\program files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll c:\program files\McAfee\VirusScan\scriptsn.dll c:\windows\system32\JScript.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\Windows Defender\MsMpEng.exe c:\program files\Ahead\InCD\InCDsrv.exe c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe c:\windows\ATKKBService.exe c:\windows\system32\crypserv.exe c:\windows\System32\GEARSec.exe c:\program files\Java\jre6\bin\jqs.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\program files\McAfee\MPF\MPFSrv.exe c:\program files\McAfee\MSK\MskSrver.exe c:\windows\SOUNDMAN.EXE c:\windows\system32\nvsvc32.exe c:\windows\system32\rundll32.exe c:\program files\ASUS\SmartDoctor\SmartDoctor.exe c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac c:\program files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe c:\program files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe c:\program files\Windows Media Player\WMPNetwk.exe c:\windows\system32\wbem\unsecapp.exe c:\windows\system32\wbem\wmiapsrv.exe c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\program files\HP\Digital Imaging\bin\hpqbam08.exe c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe c:\progra~1\mcafee\msc\mcupdmgr.exe c:\progra~1\McAfee\VIRUSS~1\mcshield.exe c:\program files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe . ************************************************************************** . Czas ukończenia: 2010-07-27 00:42:04 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2010-07-26 22:41 Przed: 1 010 008 064 bajtów wolnych Po: 1 515 962 368 bajtów wolnych WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect Current=3 Default=3 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5 - - End Of File - - B294FD707AAF9602914DDC0707DE2068