ComboFix 10-08-12.03 - Monia 2010-08-14 11:20:11.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.1279.793 [GMT 2:00] Uruchomiony z: d:\programy\ComboFix.exe AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\autorun.inf C:\dlilm.pif C:\ewot.exe C:\eyshe.pif C:\fkqs.pif C:\goml.exe C:\jpkotu.pif C:\lbbykl.exe C:\mugsk.pif C:\nbtqv.exe C:\stckg.pif C:\thty.exe C:\vwwt.pif C:\wljth.exe C:\yrhle.pif C:\ywtt.exe D:\Autorun.inf D:\cljgr.exe D:\ejreh.pif D:\iefi.exe D:\ilhqf.pif D:\jljbm.exe D:\jxkyhv.pif D:\klbq.exe D:\kwjdi.pif D:\nxxc.exe D:\rbxfi.pif D:\tllea.pif D:\tswa.pif D:\vhbrdl.pif D:\wfwfw.pif D:\wgaxmw.pif D:\wkmnk.pif D:\wnfrh.exe E:\Autorun.inf E:\bhqxrr.pif E:\bwhj.pif E:\ctrq.pif E:\dfsmq.exe E:\kukj.exe E:\ljrr.exe E:\nmwxmn.pif E:\nrstk.pif E:\opsst.pif E:\rwfd.exe E:\whfgnq.exe E:\wlxks.pif E:\wtxpyl.pif . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_AMSINT32 -------\Service_amsint32 ((((((((((((((((((((((((( Pliki utworzone od 2010-07-14 do 2010-08-14 ))))))))))))))))))))))))))))))) . Nie utworzono żadnych nowych plików w tym okresie . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-08-14 09:25 . 2010-08-14 09:25 103140 --sh--r- C:\rsucs.exe 2010-08-14 09:17 . 2010-08-14 09:17 103140 --sh--r- C:\xawhp.exe 2010-08-14 09:16 . 2010-08-14 09:16 103140 --sh--r- C:\gxbiwv.exe 2010-08-14 09:12 . 2010-08-14 09:12 103140 --sh--r- C:\fkhaoj.exe 2010-08-14 09:12 . 2010-08-14 09:12 103140 --sh--r- C:\dagva.exe 2010-08-14 09:09 . 2010-08-14 09:09 103140 --sh--r- C:\ypoosq.exe 2010-08-14 09:07 . 2010-08-14 09:07 103140 --sh--r- C:\dglsic.exe 2010-08-14 09:00 . 2010-08-14 08:09 16376 ----a-w- c:\documents and settings\Monia\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2010-08-14 08:47 . 2010-08-14 08:47 -------- d-----w- c:\program files\Common Files\Adobe 2010-08-14 08:44 . 2010-08-14 08:40 -------- d-----w- c:\documents and settings\Monia\Dane aplikacji\Winamp 2010-08-14 08:41 . 2010-08-14 08:40 -------- d-----w- c:\program files\Winamp 2010-08-14 08:41 . 2010-08-14 08:41 -------- d-----w- c:\program files\Winamp Detect 2010-08-14 08:33 . 2010-08-14 08:32 -------- d-----w- c:\program files\K-Lite Codec Pack 2010-08-14 08:27 . 2010-08-14 08:27 -------- d-----w- c:\program files\ESET 2010-08-14 08:27 . 2010-08-14 08:27 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\ESET 2010-08-14 08:25 . 2010-08-14 08:25 -------- d-----w- c:\program files\Trend Micro 2010-08-14 08:23 . 2010-08-14 08:23 103140 --sh--r- C:\oeyuus.exe 2010-08-14 08:12 . 2010-08-14 08:12 -------- d-----w- c:\documents and settings\Monia\Dane aplikacji\BESTplayer 2010-08-14 08:09 . 2010-08-14 08:09 -------- d-----w- c:\documents and settings\Monia\Dane aplikacji\ATI 2010-08-14 08:09 . 2010-08-14 08:09 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\ATI 2010-08-14 08:07 . 2001-10-26 16:15 74450 ----a-w- c:\windows\system32\perfc015.dat 2010-08-14 08:07 . 2001-10-26 16:15 448348 ----a-w- c:\windows\system32\perfh015.dat 2010-08-14 07:59 . 2010-08-14 07:59 0 ----a-w- c:\windows\ativpsrm.bin 2010-08-14 07:58 . 2010-08-14 07:56 -------- d-----w- c:\program files\ATI Technologies 2010-08-14 07:57 . 2010-08-14 07:56 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-08-14 07:57 . 2010-08-14 07:56 -------- d-----w- c:\program files\Common Files\InstallShield 2010-08-14 07:50 . 2010-08-14 07:50 0 ----a-w- c:\windows\nsreg.dat 2010-08-14 07:46 . 2010-08-14 07:46 -------- d-----w- c:\program files\Lavalys 2010-08-14 07:30 . 2010-08-14 07:30 -------- d-----w- c:\program files\microsoft frontpage 2010-08-14 07:29 . 2010-08-14 07:29 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat 2010-08-14 07:28 . 2010-08-14 07:28 -------- d-----w- c:\program files\Usługi online 2010-08-14 07:26 . 2010-08-14 07:26 21856 ----a-w- c:\windows\system32\emptyregdb.dat 2010-08-14 07:26 . 2010-08-14 07:26 -------- d-----w- c:\program files\Windows Media Connect 2 2010-08-12 08:00 . 2010-08-14 08:32 108032 ----a-w- c:\windows\system32\ff_vfw.dll 2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Adobe\Reader\9.3\ARM\22594\AdobeARM.exe 2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Adobe\Reader\9.3\ARM\22594\AdobeExtractFiles.dll 2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Adobe\Reader\9.3\ARM\22594\ReaderUpdater.exe 2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Adobe\Reader\9.3\ARM\22594\AcrobatUpdater.exe 2010-06-08 16:10 . 2010-08-14 08:32 790528 ----a-w- c:\windows\system32\xvidcore.dll 2010-06-08 16:10 . 2010-08-14 08:32 134144 ----a-w- c:\windows\system32\xvidvfw.dll . ((((((((((((((((((((((((((((( SnapShot@2010-08-14_08.22.35 ))))))))))))))))))))))))))))))))))))))))) . + 2010-08-14 08:41 . 2009-04-28 20:20 96752 c:\windows\system32\vxblock.dll + 1999-11-25 00:40 . 1999-11-25 00:40 40960 c:\windows\system32\VBAME.DLL + 1998-03-25 03:54 . 1998-03-25 03:54 15872 c:\windows\system32\SCP32.DLL + 2010-08-14 08:41 . 2009-04-28 20:20 66032 c:\windows\system32\pxinsa64.exe + 2010-08-14 08:41 . 2009-04-28 20:20 72176 c:\windows\system32\pxhpinst.exe + 2010-08-14 08:41 . 2009-04-28 20:20 66544 c:\windows\system32\pxcpya64.exe + 1998-08-09 17:07 . 1998-08-09 17:07 94208 c:\windows\system32\MSSTKPRP.DLL + 1999-04-08 09:23 . 1999-04-08 09:23 53248 c:\windows\system32\MFC42PLK.DLL + 1999-10-18 02:01 . 1999-10-18 02:01 26384 c:\windows\system32\FM20ENU.DLL + 2010-08-14 08:41 . 2009-04-28 20:20 44944 c:\windows\system32\drivers\PxHelp20.sys + 2010-04-07 19:09 . 2010-04-07 19:09 95872 c:\windows\system32\drivers\epfwtdir.sys + 2001-01-22 01:25 . 2001-01-22 01:25 32768 c:\windows\system32\ATHPRXY.DLL + 2010-08-14 08:54 . 2010-08-14 08:54 90112 c:\windows\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\xlicons.exe + 2010-08-14 08:54 . 2010-08-14 08:54 45056 c:\windows\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\wordicon.exe + 2010-08-14 08:54 . 2010-08-14 08:54 22528 c:\windows\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\unbndico.exe + 2010-08-14 08:54 . 2010-08-14 08:54 30720 c:\windows\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\pptico.exe + 2010-08-14 08:54 . 2010-08-14 08:54 16384 c:\windows\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\PEicons.exe + 2010-08-14 08:54 . 2010-08-14 08:54 34304 c:\windows\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\misc.exe + 2010-08-14 08:54 . 2010-08-14 08:54 81920 c:\windows\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\fpicon.exe + 2010-08-14 08:28 . 2010-08-14 08:28 10134 c:\windows\Installer\{85DCB3AA-90D3-444B-880C-C72951252E55}\callmsi.exe + 1999-06-04 13:22 . 1999-06-04 13:22 7680 c:\windows\system32\MSPRPPL.DLL + 2010-08-14 08:41 . 2009-04-28 20:20 9200 c:\windows\system32\drivers\cdralw2k.sys + 2010-08-14 08:41 . 2009-04-28 20:20 9072 c:\windows\system32\drivers\cdr4_xp.sys + 2010-08-14 08:54 . 2010-08-14 08:54 3584 c:\windows\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\opwicon.exe + 2010-08-14 08:54 . 2010-08-14 08:54 8192 c:\windows\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\mspicons.exe + 2010-08-14 08:54 . 2010-08-14 08:54 2560 c:\windows\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\cagicon.exe + 2006-12-01 20:54 . 2006-12-01 20:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll + 2006-12-01 20:54 . 2006-12-01 20:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll + 2006-12-01 20:54 . 2006-12-01 20:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll + 2010-08-14 08:32 . 2004-01-25 16:18 217088 c:\windows\system32\yv12vfw.dll + 2010-08-14 08:32 . 2010-03-15 09:31 165376 c:\windows\system32\unrar.dll + 2000-04-03 15:52 . 2000-04-03 15:52 151552 c:\windows\system32\RDOCURS.DLL + 2010-08-14 08:41 . 2009-04-28 20:20 436720 c:\windows\system32\pxwave.dll + 2010-08-14 08:41 . 2009-04-28 20:20 219632 c:\windows\system32\pxmas.dll + 2010-08-14 08:41 . 2009-04-28 20:20 551408 c:\windows\system32\pxdrv.dll + 2010-08-14 08:41 . 2009-04-28 20:20 129520 c:\windows\system32\pxafs.dll + 2010-08-14 08:41 . 2009-04-28 20:20 670192 c:\windows\system32\px.dll + 2000-05-24 04:45 . 2000-05-24 04:45 118784 c:\windows\system32\MSSTDFMT.DLL + 2000-05-11 11:06 . 2000-05-11 11:06 397312 c:\windows\system32\MSRDO20.DLL + 2010-08-14 09:15 . 2010-08-14 08:59 110992 c:\windows\system32\FNTCACHE.DAT + 2010-04-07 19:08 . 2010-04-07 19:08 114984 c:\windows\system32\drivers\ehdrv.sys + 2010-04-07 19:05 . 2010-04-07 19:05 140216 c:\windows\system32\drivers\eamon.sys + 2010-08-14 08:28 . 2010-08-14 08:28 960512 c:\windows\Installer\3b86b.msi + 2010-08-14 08:54 . 2010-08-14 08:54 114688 c:\windows\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\outicon.exe + 2010-08-14 08:54 . 2010-08-14 08:54 167936 c:\windows\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\accicons.exe + 2010-08-14 08:28 . 2010-08-14 08:28 101480 c:\windows\Installer\{85DCB3AA-90D3-444B-880C-C72951252E55}\egui.exe + 2010-08-14 08:41 . 2009-04-28 20:20 1858032 c:\windows\system32\pxsfs.dll + 1999-10-18 02:01 . 1999-10-18 02:01 1129232 c:\windows\system32\FM20.DLL + 2010-08-14 08:25 . 2010-08-14 08:25 1094656 c:\windows\Installer\3b867.msi + 2010-08-14 08:53 . 2010-08-14 08:53 3407360 c:\windows\Installer\170328.msi + 2010-08-14 08:48 . 2010-08-14 08:48 3949056 c:\windows\Installer\170320.msi . -- Migawka wyzerowana -- . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2005-02-02 155648] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 131072] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-04-07 2145000] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 113584] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_2"="shell32" [X] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 157088] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "d:\\knuueq.exe"= "c:\\Program Files\\Lavalys\\EVEREST Home Edition\\everest.bin"= "c:\\WINDOWS\\SOUNDMAN.EXE"= R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-04-07 114984] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-04-07 95872] R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-04-07 810120] S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt [2005-08-18 7168] . . ------- Skan uzupełniający ------- . IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Monia\Dane aplikacji\Mozilla\Firefox\Profiles\xn6loj3c.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/ FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll ---- FIREFOX - SPOSÓB POSTĘPOWANIA ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-08-14 11:26 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver] "ImagePath"="\??\c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt" . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > 'winlogon.exe'(552) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(3624) c:\windows\system32\ieframe.dll c:\windows\system32\wpdshserviceobj.dll c:\windows\system32\portabledevicetypes.dll c:\windows\system32\portabledeviceapi.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe c:\windows\SOUNDMAN.EXE c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe . ************************************************************************** . Czas ukończenia: 2010-08-14 11:32:11 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2010-08-14 09:32 ComboFix2.txt 2010-08-14 08:25 Przed: 5 512 093 696 bajtów wolnych Po: 5 511 442 432 bajtów wolnych - - End Of File - - 0B27501271CB0040E8305CEEDE62EF48