ComboFix 10-08-09.03 - administrator 2010-08-10 11:41:23.7.4 - x86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2047.1459 [GMT 2:00] Uruchomiony z: c:\documents and settings\administrator\Pulpit\ComboFix.exe AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !! . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\administrator\Moje dokumenty\cc_20100715_090446.reg c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\axpldkr\Dane aplikacji\EurekaLog c:\windows\system32\UNWISE.EXE ----- BITS: Możliwe zainfekowane strony ----- hxxp://svmars . ((((((((((((((((((((((((( Pliki utworzone od 2010-07-10 do 2010-08-10 ))))))))))))))))))))))))))))))) . 2010-08-05 02:00 . 2010-08-05 02:00 -------- d-----w- c:\windows\LastGood 2010-07-29 06:01 . 2010-07-29 06:01 503808 ----a-w- c:\documents and settings\axpldkr\Dane aplikacji\Sun\Java\Deployment\cache\6.0\46\f84c6ae-51cd5671-n\msvcp71.dll 2010-07-29 06:01 . 2010-07-29 06:01 499712 ----a-w- c:\documents and settings\axpldkr\Dane aplikacji\Sun\Java\Deployment\cache\6.0\46\f84c6ae-51cd5671-n\jmc.dll 2010-07-29 06:01 . 2010-07-29 06:01 348160 ----a-w- c:\documents and settings\axpldkr\Dane aplikacji\Sun\Java\Deployment\cache\6.0\46\f84c6ae-51cd5671-n\msvcr71.dll 2010-07-22 12:12 . 2010-07-22 12:12 -------- d-----w- c:\documents and settings\axpldkr\Dane aplikacji\Malwarebytes 2010-07-15 08:22 . 2010-07-15 08:22 -------- d-----w- c:\documents and settings\Administrator.PCAXPLZHEN\Dane aplikacji\Malwarebytes 2010-07-15 08:22 . 2010-07-15 08:22 -------- d-sh--w- c:\documents and settings\Administrator.PCAXPLZHEN\IETldCache 2010-07-15 07:57 . 2010-07-15 07:58 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-07-15 07:57 . 2010-07-15 07:57 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2010-07-15 07:07 . 2010-07-15 07:07 -------- d-----w- c:\documents and settings\administrator\Ustawienia lokalne\Dane aplikacji\Adobe 2010-07-15 07:07 . 2010-07-15 07:07 -------- d-----w- c:\documents and settings\administrator\Dane aplikacji\AdobeUM 2010-07-15 07:02 . 2010-07-15 07:02 -------- d-----w- c:\program files\CCleaner . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-29 08:31 . 2009-10-21 09:44 -------- d-----w- c:\documents and settings\axpldkr\Dane aplikacji\FileZilla 2010-07-27 06:30 . 2010-08-04 03:23 8491008 ----a-w- c:\windows\system32\SET85B.tmp 2010-07-15 09:13 . 2008-04-15 03:00 85136 ----a-w- c:\windows\system32\perfc015.dat 2010-07-15 09:13 . 2008-04-15 03:00 493976 ----a-w- c:\windows\system32\perfh015.dat 2010-07-15 07:04 . 2009-09-07 07:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-07-15 06:43 . 2009-03-31 09:23 -------- d-----w- c:\documents and settings\axpldkr\Dane aplikacji\Skype 2010-07-15 02:01 . 2008-09-17 11:18 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Microsoft Help 2010-07-14 06:08 . 2010-02-16 11:40 -------- d-----w- c:\documents and settings\axpldkr\Dane aplikacji\skypePM 2010-07-09 09:42 . 2010-07-09 08:50 -------- d-----w- c:\documents and settings\axpldkr\Dane aplikacji\TeamViewer 2010-07-09 08:48 . 2010-07-09 08:44 -------- d-----w- c:\documents and settings\administrator\Dane aplikacji\Skype 2010-07-09 08:47 . 2010-07-09 08:47 -------- d-----w- c:\documents and settings\administrator\Dane aplikacji\skypePM 2010-07-09 08:47 . 2010-07-09 08:47 -------- d-----w- c:\documents and settings\administrator\Dane aplikacji\TeamViewer 2010-07-09 08:46 . 2010-07-09 08:46 -------- d-----w- c:\program files\TeamViewer 2010-07-09 08:44 . 2010-07-09 08:44 -------- d-----w- c:\program files\Common Files\Skype 2010-07-09 08:44 . 2010-02-16 11:37 -------- d-----r- c:\program files\Skype 2010-06-29 20:05 . 2009-01-14 14:21 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-06-17 12:10 . 2010-06-17 12:10 80896 ----a-w- c:\windows\system32\beed.sys 2010-06-15 20:00 . 2010-06-15 20:00 -------- d-----w- c:\program files\Xenocode 2010-06-14 14:31 . 2008-09-17 09:13 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe 2010-06-10 10:45 . 2009-04-08 11:26 10890488 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Audatex\AudaUpdate\Service\AUDAUPDT.EXE 2010-06-10 10:43 . 2009-04-08 11:27 902552 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Audatex\AudaUpdate\Service\UPDATE.EXE 2010-06-10 10:43 . 2009-04-08 11:26 214424 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Audatex\AudaUpdate\Service\SETUP.EXE 2010-06-10 10:42 . 2009-04-08 11:26 21920 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Audatex\AudaUpdate\Service\AUDAUPDATE.EXE 2010-06-02 12:39 . 2008-12-19 13:06 68848 ----a-w- c:\documents and settings\axpldkr\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512] "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952] "RTHDCPL"="RTHDCPL.EXE" [2008-09-17 16384000] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ AudaUpdate.lnk - d:\audatex\AudaUpdate\AudaUpdt.exe [2009-3-13 10890488] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ \0 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2025429265-1409082233-725345543-1133\Scripts\Logon\0\0] "Script"=SBS_LOGIN_SCRIPT.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2025429265-1409082233-725345543-500\Scripts\Logon\0\0] "Script"=SBS_LOGIN_SCRIPT.bat [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "c:\\Program Files\\totalcmd\\TOTALCMD.EXE"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 beed;beed;c:\windows\system32\beed.sys [2010-06-17 80896] R2 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fb_inet_server.exe [2008-12-19 2707456] S2 AudatexInstallService;Audatex Install Service;c:\windows\INSTALLSERVICE.EXE [2009-03-06 654848] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] WINRM REG_MULTI_SZ WINRM . . ------- Skan uzupełniający ------- . IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\administrator\Dane aplikacji\Mozilla\Firefox\Profiles\dqpjecyc.default\ FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX - SPOSÓB POSTĘPOWANIA ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - USUNIĘTO PUSTE WPISY - - - - HKLM-Run-NvCplDaemon - c:\windows\system32\NvCpl.dll AddRemove-Hardlock Device Drivers - c:\windows\system32\UNWISE.EXE ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-08-10 11:44 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_USERS\S-1-5-21-2025429265-1409082233-725345543-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,6d,8a,3f,3f,d9,6a,48,a8,cf,fa,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,6d,8a,3f,3f,d9,6a,48,a8,cf,fa,\ . Czas ukończenia: 2010-08-10 11:44:57 ComboFix-quarantined-files.txt 2010-08-10 09:44 ComboFix2.txt 2009-09-07 09:59 Przed: 81 453 903 872 bajtów wolnych Po: 82 599 096 320 bajtów wolnych - - End Of File - - 7D7017515631BBC2D576D708B162807C