ComboFix 11-07-20.05 - Dominik 2011-07-21 9:56.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.3039.2443 [GMT 2:00] Uruchomiony z: c:\documents and settings\Dominik\Moje dokumenty\Downloads\ComboFix.exe AV: BitDefender Antivirus *Enabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB} FW: BitDefender Firewall *Enabled* {4055920F-2E99-48A8-A270-4243D2B8F242} . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Dominik\null0.11017878639647027.exe c:\documents and settings\Dominik\WINDOWS c:\windows\system32\logs c:\windows\system32\msvcsv60.dll c:\windows\system32\Packet.dll c:\windows\system32\shimg.dll c:\windows\system32\wpcap.dll c:\windows\temp.exe . . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_CPUXP -------\Legacy_NPF -------\Service_cpuxp . . ((((((((((((((((((((((((( Pliki utworzone od 2011-06-21 do 2011-07-21 ))))))))))))))))))))))))))))))) . . 2011-07-21 07:39 . 2011-07-21 07:39 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files 2011-07-20 18:47 . 2011-07-20 18:47 -------- d-----w- c:\program files\CCleaner 2011-07-19 12:22 . 2011-07-19 12:22 12872 ----a-w- c:\windows\system32\bootdelete.exe 2011-07-18 14:36 . 2011-07-20 16:01 21064 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2011-07-18 14:35 . 2011-07-19 12:22 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Hitman Pro 2011-07-13 12:33 . 2001-08-17 18:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys 2011-07-13 12:33 . 2001-08-17 18:56 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS 2011-07-10 10:52 . 2008-04-14 19:50 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll 2011-07-10 10:52 . 2008-04-14 19:50 21504 ----a-w- c:\windows\system32\hidserv.dll 2011-06-29 21:20 . 2011-07-21 07:44 -------- d-----w- c:\program files\Ubisoft . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-07-06 17:52 . 2011-03-31 17:07 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-06 17:52 . 2011-03-31 17:07 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-06-22 11:10 . 2011-06-01 10:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-06-16 04:51 . 2011-06-22 14:11 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . Błąd usług kryptograficznych !! . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "yfwtray"="c:\program files\Yamaha\FWDriver\yfwtray.exe" [2008-03-06 110592] "yfwcm"="c:\program files\Yamaha\FWDriver\yfwcm.exe" [2009-05-27 557056] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-17 61440] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_2"="shell32" [X] "_nltide_3"="advpack.dll" [2009-03-08 128512] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^BTTray.lnk] backup=c:\windows\pss\BTTray.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^Dominik^Menu Start^Programy^Autostart^tmonitor.exe] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2011-06-06 10:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Documents and Settings\\Dominik\\Ustawienia lokalne\\Dane aplikacji\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Dominik\\Ustawienia lokalne\\Dane aplikacji\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\WINDOWS\\system32\\dplaysvr.exe"= "c:\\Program Files\\Nowe Gadu-Gadu\\gg.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:Remote Desktop "65533:TCP"= 65533:TCP:Services "52344:TCP"= 52344:TCP:Services "2519:TCP"= 2519:TCP:Services "3538:TCP"= 3538:TCP:Services "7051:TCP"= 7051:TCP:Services "6473:TCP"= 6473:TCP:Services "6036:TCP"= 6036:TCP:Services "5911:TCP"= 5911:TCP:Services "7692:TCP"= 7692:TCP:Services "7458:TCP"= 7458:TCP:Services "6395:TCP"= 6395:TCP:Services "6051:TCP"= 6051:TCP:Services "9067:TCP"= 9067:TCP:Services "8239:TCP"= 8239:TCP:Services "3817:TCP"= 3817:TCP:Services "1631:TCP"= 1631:TCP:Services "1762:TCP"= 1762:TCP:Services . R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [x] R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [2010-10-19 3791872] R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2008-08-05 1684736] R3 bdfm;bdfm;c:\windows\system32\drivers\bdfm.sys [x] R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\bdfndisf.sys [x] R3 DIGIRPS;Sterownik Digi PortServer;c:\windows\system32\DRIVERS\digirlpt.sys [2001-10-26 42560] R3 GarenaPEngine;GarenaPEngine;c:\docume~1\Dominik\USTAWI~1\Temp\NHQ2F.tmp [x] R3 gbxusb;gbxusb;c:\windows\system32\Drivers\gbxusb.sys [2010-10-20 65616] R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2009-07-24 100736] R3 KORG_1394;KORG_1394;c:\windows\system32\Drivers\KORG_1394.sys [2008-09-18 121944] R3 KORG_avs;KORG_avs;c:\windows\system32\Drivers\KORG_avs.sys [2008-09-18 44120] R3 leafnets;Leaf Networks Adapter;c:\windows\system32\DRIVERS\leafnets.sys [2007-05-02 55296] R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [x] R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [x] R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27064] R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504] R3 WPRO_40_1123;WinPcap Packet Driver (WPRO_40_1123);c:\windows\system32\drivers\WPRO_40_1123.sys [x] R3 YFWAUDIO;Yamaha Steinberg FW WDM Audio;c:\windows\system32\drivers\yfwaudio.sys [2011-01-31 23296] S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-10-24 721904] S3 gbxavs;Maschine Midi;c:\windows\system32\Drivers\gbxavs.sys [2010-10-20 342096] S3 gbxusb_svc;Maschine Controller;c:\windows\system32\Drivers\gbxusb.sys [2010-10-20 65616] S3 SynasUSB;eLicenser;c:\windows\system32\drivers\SynasUSB.sys [2009-06-26 23696] S3 xcpip;Sterownik protokołu TCP/IP;c:\windows\system32\drivers\xcpip.sys [x] S3 xpsec;Sterownik IPSEC;c:\windows\system32\drivers\xpsec.sys [x] S3 YFWBUS;Yamaha Steinberg FW Bus;c:\windows\system32\Drivers\yfwbus.sys [2011-01-31 136704] . . --- Inne Usługi/Sterowniki w Pamięci --- . *NewlyCreated* - MDMXSDK *NewlyCreated* - WUAUSERV . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bdx REG_MULTI_SZ scan . Zawartość folderu 'Zaplanowane zadania' . 2011-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1035525444-1801674531-1003Core.job - c:\documents and settings\Dominik\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2009-03-18 00:02] . 2011-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1035525444-1801674531-1003UA.job - c:\documents and settings\Dominik\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2009-03-18 00:02] . . ------- Skan uzupełniający ------- . uStart Page = about:blank mStart Page = about:blank TCP: Interfaces\{F9772636-8CFF-4000-BE78-3E61CD0668F2}: NameServer = 194.204.152.34,194.204.159.1 FF - ProfilePath - c:\documents and settings\Dominik\Dane aplikacji\Mozilla\Firefox\Profiles\n28sd6bz.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/ig . - - - - USUNIĘTO PUSTE WPISY - - - - . Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) Toolbar-Locked - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) SafeBoot-Wdf01000.sys AddRemove-MIDI Driver V1.10 Setup - c:\program files\KORG\Firewire Driver\uninst.exe Software\KORG\Firewire_Driver\Setup . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-07-21 10:02 Windows 5.1.2600 Dodatek Service Pack 3 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine] "ImagePath"="\??\c:\docume~1\Dominik\USTAWI~1\Temp\NHQ2F.tmp" . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- . [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*] "OODEFRAG11.00.00.01WORKSTATION"="2A323A64093A731C36C9CC8F8550FAE30B4B1C35DB10AF356E3C9CC43DDFF51A8ABA9A02769C60E8B3BE589A1B2A746E6DFAFD5EEF9BC2A44AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B98089DB7CE019D40AA5CA6A0AC4980AC793300692878AB943932D0600C6C042DD6BBA4BA0FF6CF939FE0E4D9B2A52F92BE78039ACF1170EEBC51CD4D43CFB806351361E9323B322D9EE7A02C50074F729DF8BB6DC69F20216F3F4FD899E3AE1BDA190C67AFA7797E3D3B7335590A70A31D6E211F731587E0519724369537DCA6B8166B7ACD07E7E57D7340F0F1D63B476FD94D037D155B36E967402D7F8B9FB8C5466B7F98571F18671688F109C7BB574F32FCFDD47A31FDC034B818E7553431FD589B685ECB299908A277DBCEEC651EF760928C274E83E965F4C8E79FBE3F47DF7130B6B349F248ED88D969B60A0DBB2A4394BAEB54307C6913519E3D2649036C2A8205EE6BCACF2CAD9FE6F7966B25AB2CACABDBFEF991E0ED52531A9BBB432C8D8B7EAA02E733DB6BDD36903E9EA044E1281574780753E6D8F432D5E467B8A81CECE2468CDFCB170E4FCC3FE027CAC01E78C2F41CE144189B827AD07C7F6BF0C96A88E64431C27ED6CE3208106C13F10FB511E47AF83817EEEBFDB20F1AB2187EECD5EF13BB1636FA5D86B59635BDABD697F40CD720D80985C12664FDB4BDB396FD471016C399E4A321F8506C3062C78A7DF0782E0B2197FEBC6C15DF2D0E5EE050EDB4A17074B6ECE14FABC36FEB223567A2F9A85564F0743761377DC7793923B46E113B50A0DAE78D6359FEE61B9BD47D372628FE4545EFAFA700542BA9631426FE9C9ED26C069B34A133357103995B87EFD74167BD4C7149F5E895631C8661BE6D92B7CB7CEEFE8A8BD4B3CA8C83ADF524AABCD71ABDEA4B99B2A75FA24A29BE1BF1ACF44551806AB79D7816F24628D83FFE96F77AD8C39F6F5CA37263E00009F8FC506A936C00CF4DB237D6C45396663CFB80D8D4DD5656EB2FD75458F9EEA7923D302B0484D2DB8A7CD6F8671FBBF830885DEB721373A19633C3A14F4DEF4503FA099C0CE1C1D34126F4481222CD8D40D4C6076E43DC598A369E576817F5B1F9484D08EFCE0BA155A060F550D7F6C628CE88E4393A4AF6F5CBD2D91C92E162BC7625184D9C5E4F421F1B180343D46A34AD24A31AC9E4999D4A7AF132058E6CA21CE95D109DE010139A5E28DBE67A62C7E94D46A8C8CD0659CAEA4849B4C58D19952A4E7CA82DB8E9CF948265CCECBDD7C1EDB2D01118A011AB286FD16CC8259F82A842281C4EC0FCBD5D69780126AB71B3A0B3547EC876C70F6AD81479CB384AC4DBF3005546C613A70D8247931404AF87B6F64774DC358F5BA05BA72FF5EC41046E06C039" . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'winlogon.exe'(1112) c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(3412) c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\wpdshserviceobj.dll c:\windows\system32\portabledevicetypes.dll c:\windows\system32\portabledeviceapi.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\oodag.exe c:\windows\system32\imapi.exe c:\windows\system32\wscntfy.exe c:\windows\system32\wbem\wmiapsrv.exe . ************************************************************************** . Czas ukończenia: 2011-07-21 10:03:30 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2011-07-21 08:03 . Przed: 47 901 761 536 bajtów wolnych Po: 48 355 450 880 bajtów wolnych . WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 5341DA3F0DF8468BE1129709E2B35A86