ComboFix 11-09-24.01 - Piotr 2011-09-24 19:02:47.6.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2046.1700 [GMT 2:00] Uruchomiony z: c:\documents and settings\Piotr\Pulpit\ComboFix.exe AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Piotr\Dane aplikacji\Adobe\plugs c:\documents and settings\Piotr\Dane aplikacji\Adobe\plugs\KB17926718 c:\documents and settings\Piotr\Dane aplikacji\Adobe\plugs\KB17937562.exe c:\documents and settings\Piotr\Dane aplikacji\Adobe\plugs\KB17937687.exe c:\documents and settings\Piotr\Dane aplikacji\Adobe\shed c:\windows\$NtUninstallKB44184$ c:\windows\$NtUninstallKB44184$\597913796\@ c:\windows\$NtUninstallKB44184$\597913796\bckfg.tmp c:\windows\$NtUninstallKB44184$\597913796\cfg.ini c:\windows\$NtUninstallKB44184$\597913796\Desktop.ini c:\windows\$NtUninstallKB44184$\597913796\kwrd.dll c:\windows\$NtUninstallKB44184$\597913796\L\ncrwqjnn c:\windows\$NtUninstallKB44184$\597913796\U\00000001.@ c:\windows\$NtUninstallKB44184$\597913796\U\00000002.@ c:\windows\$NtUninstallKB44184$\597913796\U\80000000.@ c:\windows\$NtUninstallKB44184$\597913796\U\80000032.@ c:\windows\$NtUninstallKB44184$\791373586 c:\windows\3295716131 c:\windows\system32\d3d9caps.dat . Zainfekowana kopia c:\windows\system32\drivers\redbook.sys została znaleziona. Problem naprawiono Plik odzyskano z - The cat found it :) . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_23a370c4 . . ((((((((((((((((((((((((( Pliki utworzone od 2011-08-24 do 2011-09-24 ))))))))))))))))))))))))))))))) . . 2011-09-24 17:00 . 2006-09-13 18:18 58624 -c--a-w- c:\windows\system32\dllcache\redbook.sys 2011-09-24 17:00 . 2006-09-13 18:18 58624 ----a-w- c:\windows\system32\drivers\redbook.sys 2011-09-23 18:25 . 2011-09-23 18:25 -------- d-----w- c:\program files\AVAST Software 2011-09-23 18:25 . 2011-09-23 18:25 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\AVAST Software 2011-09-23 18:25 . 2011-09-23 18:25 -------- d-----w- c:\program files\Symantec 2011-09-23 18:25 . 2011-09-23 18:25 -------- d-----w- c:\program files\Common Files\Symantec Shared 2011-09-23 18:25 . 2011-09-23 18:25 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\ESET 2011-09-23 18:25 . 2011-09-23 18:25 -------- d-----w- c:\program files\CCleaner 2011-09-23 16:03 . 2011-09-23 16:03 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL 2011-09-23 16:03 . 2011-09-23 16:03 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2011-09-23 15:55 . 2004-08-03 22:38 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2011-09-23 15:32 . 2006-09-13 16:19 21504 ----a-w- c:\windows\system32\hidserv.dll 2011-09-20 21:37 . 2011-09-20 21:37 -------- d-----w- c:\program files\Windows Sidebar 2011-09-19 23:03 . 2011-09-19 23:03 -------- d--h--w- c:\windows\PIF 2011-09-19 22:15 . 2011-09-19 22:34 -------- d-----w- c:\documents and settings\Administrator . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-09-24 17:07 . 2010-02-10 22:16 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys 2011-09-24 17:07 . 2010-02-11 13:58 17488 ----a-w- c:\windows\gdrv.sys 2011-09-08 15:55 . 2011-05-07 22:13 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-04 346320] "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-08 1657376] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016] "EasyTuneVI"="c:\program files\GIGABYTE\ET6\ETcall.exe" [2007-07-26 20480] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184] "RTHDCPL"="RTHDCPL.EXE" [2009-06-25 17887232] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128] "DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360] . c:\documents and settings\Piotr\Menu Start\Programy\Autostart\ Gadu-Gadu 10.lnk - c:\program files\Gadu-Gadu 10\gg.exe [2010-5-4 12477024] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery] 2003-05-21 16:37 229437 ----a-w- c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint] 2009-10-01 15:45 139944 ----a-w- c:\program files\Lexmark S300-S400 Series\ezprint.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] 2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] 2003-10-23 17:51 233472 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2003-06-25 09:24 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility] 2003-09-01 11:42 176128 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut] 2006-12-05 21:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxeamon.exe] 2009-10-01 15:45 766632 ----a-w- c:\program files\Lexmark S300-S400 Series\lxeamon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2007-06-29 05:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] 2006-11-23 14:10 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-05-14 09:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WPALauncher] 2009-08-10 20:48 503808 ----a-w- c:\program files\WPA Launcher\WPALauncher.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "d:\\Program files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\xrEngine.exe"= "d:\\Program files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\dedicated\\xrEngine.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "e:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\Documents and Settings\\Piotr\\Pulpit\\utorrent.exe"= "c:\\WINDOWS\\system32\\lxeacoms.exe"= "c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "e:\\Skype\\Phone\\Skype.exe"= "e:\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Tunngle\\TnglCtrl.exe"= "c:\\Program Files\\Tunngle\\Tunngle.exe"= "e:\\Program Files\\CAPCOM\\LOST PLANET 2\\LP2DX9.exe"= "e:\\Program Files\\CAPCOM\\LOST PLANET 2\\LP2DX11.exe"= "e:\\Program Files\\Tunngle\\TnglCtrl.exe"= "e:\\Program Files\\Tunngle\\Tunngle.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Gadu-Gadu 10\\gg.exe"= "e:\\Program Files\\Valve\\hl.exe"= "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "57781:TCP"= 57781:TCP:Pando Media Booster "57781:UDP"= 57781:UDP:Pando Media Booster . R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2010-12-29 40560] R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-09-29 115008] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-09-29 94872] R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [2010-02-10 219360] R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [2010-02-10 68136] R2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe -service --> c:\windows\system32\lxeacoms.exe -service [?] R2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeaserv.exe [2010-08-24 98984] R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2010-02-11 22016] R2 TunngleService;TunngleService;c:\program files\Tunngle\TnglCtrl.exe [2011-05-31 718072] R3 AODDriver;AODDriver;c:\program files\GIGABYTE\ET6\i386\AODDriver.sys [2009-02-23 7168] S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2011-01-12 810144] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-02-11 1684736] S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-12-29 13192] S3 etdrv;etdrv;c:\windows\etdrv.sys [2010-02-11 17488] S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-12-29 8456] S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2010-12-29 16472] S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2010-12-29 11104] S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2010-02-11 29184] S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2010-02-11 17536] S4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?] SUnknown GVTDrv;GVTDrv; [x] . . ------- Skan uzupełniający ------- . uInternet Connection Wizard,ShellNext = hxxp://download.gigabyte.com.tw/ IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 62.21.99.95 192.168.0.1 FF - ProfilePath - c:\documents and settings\Piotr\Dane aplikacji\Mozilla\Firefox\Profiles\aue9jp8q.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.infoeltech.com.pl/ FF - prefs.js: keyword.URL - hxxp://www.google.com/cse?cx=partner-pub-5462406484424654%3A8q0sn8-w2ss&ie=ISO-8859-1&q= FF - prefs.js: network.proxy.ftp - 127.0.0.1 FF - prefs.js: network.proxy.ftp_port - 9666 FF - prefs.js: network.proxy.gopher - 127.0.0.1 FF - prefs.js: network.proxy.gopher_port - 9666 FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 9666 FF - prefs.js: network.proxy.socks - 127.0.0.1 FF - prefs.js: network.proxy.socks_port - 9666 FF - prefs.js: network.proxy.ssl - 127.0.0.1 FF - prefs.js: network.proxy.ssl_port - 9666 FF - prefs.js: network.proxy.type - 0 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-09-24 19:07 Windows 5.1.2600 Dodatek Service Pack 3 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . . c:\windows\system32\GVTunner.ref 4 bytes . skanowanie pomyślnie ukończone ukryte pliki: 1 . ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- . [HKEY_USERS\S-1-5-21-1214440339-1897051121-725345543-1003\Software\SecuROM\License information*] "datasecu"=hex:d9,42,e9,ee,3a,52,0f,2a,e7,58,06,eb,88,09,2e,e9,44,38,f5,90,60, 0b,c9,a9,d9,ea,6a,7e,32,3b,52,4f,42,22,31,76,b6,2b,a0,fd,32,d9,da,67,cd,16,\ "rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98 . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'explorer.exe'(1512) c:\windows\system32\msxml3.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\nvsvc32.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\windows\system32\lxeacoms.exe c:\windows\system32\PnkBstrA.exe c:\program files\CyberLink\Shared Files\RichVideo.exe c:\windows\system32\RUNDLL32.EXE c:\windows\RTHDCPL.EXE c:\windows\system32\wdfmgr.exe c:\windows\system32\wbem\wmiapsrv.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Czas ukończenia: 2011-09-24 19:09:05 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2011-09-24 17:09 . Przed: 19 549 720 576 bajtów wolnych Po: 19 548 745 728 bajtów wolnych . - - End Of File - - D3D0DB99BFF0A7E24F925B820F44C7B9