ComboFix 10-08-24.0C - Meblewaldi 2010-08-25 21:51:59.4.3 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1250.48.1045.18.3326.2904 [GMT 2:00] Uruchomiony z: c:\documents and settings\Meblewaldi\Pulpit\logi2\ComboFix.exe AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6} * Utworzono nowy punkt przywracania UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !! . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\MEBLEW~1\USTAWI~1\Temp\4_pinnew.exe c:\docume~1\MEBLEW~1\USTAWI~1\Temp\avto.exe c:\docume~1\MEBLEW~1\USTAWI~1\Temp\q1.exe c:\docume~1\MEBLEW~1\USTAWI~1\Temp\teste1_p.exe c:\documents and settings\All Users\Dane aplikacji\19547504\sp.Dll c:\documents and settings\Meblewaldi\Dane aplikacji\ohydy.exe c:\documents and settings\Meblewaldi\oashdihasidhasuidhiasdhiashdiuasdhasd C:\lsass.exe c:\windows\cfdrive32.exe c:\windows\lsass.exe c:\windows\svc.exe c:\windows\svw.exe c:\windows\svx.exe c:\windows\system32\3717383535.dat c:\windows\system32\drivers\srenum.sys c:\windows\system32\lowsec c:\windows\system32\lowsec\local.ds c:\windows\system32\lowsec\user.ds c:\windows\system32\msrun.exe c:\windows\system32\sdra64.exe c:\windows\system32\yaaabx.dll c:\windows\system32\yaawww.dll c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job c:\windows\tmp0093245.log c:\windows\tmp0145471.log c:\windows\tmp0308019.log c:\windows\tmp3743257.log c:\windows\tmp4085122.log c:\windows\tmp4512740.log c:\windows\tmp4821749.log c:\windows\tmp4857018.log c:\windows\tmp7239719.log c:\windows\tmp8270696.log c:\windows\tmp8521096.log c:\windows\tmp8923716.log c:\windows\tmp9009728.log c:\windows\tmp9062626.log c:\windows\tmp9320084.log c:\windows\tmp9776294.log c:\windows\vlc.exe c:\windows\wdmon.exe . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ATAPIDRV -------\Legacy_FOLLOWER -------\Service_AtapiDrv -------\Service_Follower -------\Service_ndisrd -------\Service_SPService -------\Legacy_srenum -------\Service_srenum ((((((((((((((((((((((((( Pliki utworzone od 2010-07-25 do 2010-08-25 ))))))))))))))))))))))))))))))) . 2010-08-25 19:51 . 2010-08-25 19:40 189952 ----a-w- c:\windows\Twoxub.exe 2010-08-25 19:23 . 2010-08-25 19:23 -------- d-----w- C:\UsbFix 2010-08-25 18:58 . 2010-08-25 18:58 189952 ----a-w- c:\windows\Twoxua.exe 2010-08-25 18:09 . 2010-08-25 18:09 -------- d-----w- c:\documents and settings\Meblewaldi\DoctorWeb 2010-08-25 18:04 . 2010-08-25 18:04 -------- d-----w- c:\documents and settings\Meblewaldi\Dane aplikacji\TeamViewer 2010-08-25 18:03 . 2010-08-25 18:03 -------- d-----w- c:\program files\TeamViewer 2010-08-25 17:37 . 2010-08-25 17:37 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys 2010-08-23 18:16 . 2010-08-23 18:16 -------- d-----w- c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\Adobe 2010-08-22 22:53 . 2010-08-25 19:59 784384 ----a-w- c:\windows\system32\drivers\pduhrrju.sys 2010-08-22 22:48 . 2010-08-22 22:48 -------- d-----r- c:\documents and settings\LocalService\Ulubione . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-08-25 19:58 . 2008-04-15 12:00 88816 ----a-w- c:\windows\system32\perfc015.dat 2010-08-25 19:58 . 2008-04-15 12:00 499510 ----a-w- c:\windows\system32\perfh015.dat 2010-08-25 19:56 . 2009-06-22 20:15 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\19547504 2010-08-25 19:37 . 2008-04-15 12:00 3456 ----a-w- c:\windows\system32\drivers\pciide.sys 2010-08-25 17:32 . 2009-05-13 09:35 -------- d---a-w- c:\documents and settings\All Users\Dane aplikacji\TEMP 2010-08-22 22:42 . 2010-06-09 14:06 210816 ----a-w- c:\windows\system32\drivers\ndis.sys 2010-08-16 22:05 . 2009-02-09 22:02 1 ----a-w- c:\documents and settings\Meblewaldi\Dane aplikacji\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-08-05 16:26 . 2010-02-23 17:53 -------- d-----w- c:\program files\Gadu-Gadu 10 2010-07-19 19:23 . 2008-11-25 13:16 10 ----a-w- c:\windows\popcinfo.dat 2010-06-30 19:03 . 2009-01-25 15:11 -------- d-----w- c:\documents and settings\Meblewaldi\Dane aplikacji\PlayFirst 2010-06-27 18:41 . 2008-11-24 20:17 -------- d-----w- c:\program files\Ubisoft 2010-06-27 18:41 . 2008-11-18 16:30 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-06-23 19:19 . 2010-06-23 19:19 501936 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Google\Google Toolbar\Update\gtb6.tmp.exe 2010-06-16 12:24 . 2008-11-18 16:45 16064 ----a-w- c:\documents and settings\Meblewaldi\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT . ------- Sigcheck ------- [-] 2010-08-22 22:42 . !HASH: COULD NOT OPEN FILE !!!!! . 210816 . . [------] . . c:\windows\system32\dllcache\ndis.sys [-] 2010-08-22 22:42 . !HASH: COULD NOT OPEN FILE !!!!! . 210816 . . [------] . . c:\windows\system32\drivers\ndis.sys [-] 2008-04-13 23:50 . !HASH: COULD NOT OPEN FILE !!!!! . 182656 . . [------] . . c:\windows\ERDNT\cache\ndis.sys [-] 2008-04-15 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\tcpip.sys [-] 2008-04-15 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-30 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-1-11 39792] Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-5-11 738968] WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536] WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-11-13 9117504] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "sdCoreService"=2 (0x2) "sdAuxService"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "f:\\call\\CoDWaWmp.exe"= "f:\\call\\CoDWaW.exe"= "c:\\Program Files\\Ubisoft\\THE SETTLERS - Narodziny Imperium\\base\\bin\\Settlers6.exe"= "c:\\Program Files\\Ares\\Ares.exe"= "c:\\Program Files\\Opera\\Opera.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Documents and Settings\\Meblewaldi\\Pulpit\\utorrent.exe"= "c:\\Program Files\\Soulseek\\slsk.exe"= "c:\\Program Files\\Ubisoft\\World in Conflict\\wic.exe"= "c:\\Program Files\\Ubisoft\\World in Conflict\\wic_online.exe"= "c:\\Program Files\\Ubisoft\\World in Conflict\\wic_ds.exe"= "c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "24082:TCP"= 24082:TCP:torrent "24082:UDP"= 24082:UDP:torrent1 "8461:TCP"= 8461:TCP:GoD High Port "8462:TCP"= 8462:TCP:GoD Low Port "10282:TCP"= 10282:TCP:spport "15385:TCP"= 15385:TCP:spport "26814:TCP"= 26814:TCP:spport "25424:TCP"= 25424:TCP:spport "25283:TCP"= 25283:TCP:spport "16703:TCP"= 16703:TCP:spport "6284:TCP"= 6284:TCP:spport "29456:TCP"= 29456:TCP:spport "11544:TCP"= 11544:TCP:spport "28115:TCP"= 28115:TCP:spport "12087:TCP"= 12087:TCP:spport "12366:TCP"= 12366:TCP:spport "13474:TCP"= 13474:TCP:spport "25781:TCP"= 25781:TCP:spport "18657:TCP"= 18657:TCP:spport R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-11-13 110592] R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480] R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2010-03-11 25088] S2 gupdate;Usługa Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664] S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?] S2 RasMandmadmin;Menedżer połączeń usługi Dostęp zdalny RasMandmadmin; srv --> srv [?] S2 RasManWDSmartWareBackgroundService;Menedżer połączeń usługi Dostęp zdalny RasManWDSmartWareBackgroundService;c:\windows\system32\AgCPanelGermanu.exe srv --> c:\windows\system32\AgCPanelGermanu.exe srv [?] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-03-01 11520] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2008-11-26 717296] --- Inne Usługi/Sterowniki w Pamięci --- *Deregistered* - pduhrrju [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2008-01-24 11:30 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . Zawartość folderu 'Zaplanowane zadania' 2010-08-14 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 13:21] 2010-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 07:12] 2010-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 07:12] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://alawar.pl uInternet Connection Wizard,ShellNext = iexplore uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Funkcja Google Sidewiki - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html IE: Pobierz za pomocą Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm TCP: {3F8BE411-5F19-4682-AC26-5AE179F7D955} = 91.188.60.223,8.8.8.8 DPF: {E23FABEE-33DA-12E3-DA12-195DAC123984} - hxxp://cached.gamedesire.com/g_bin/pl/mahjong_2_0_0_35.cab . - - - - USUNIĘTO PUSTE WPISY - - - - ShellIconOverlayIdentifiers-{96AFBE69-C3B0-4b00-8578-D933D2896EE2} - (no file) HKCU-Run-rqopmjaudio - yaaabx.dll HKLM-Run-nnooppaudio - yaaabx.dll HKLM-Run-sstrqnsys - yaawww.dll HKU-Default-Run-gedbabsys - yaawww.dll HKU-Default-Run-rqrpqoaudio - yaaabx.dll SafeBoot-AtapiDrv.sys SafeBoot-dwshd.sys7fd90429 SafeBoot-klmdb.sys ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-08-25 21:59 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe >>UNKNOWN [0x8A6350E0]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf74ebf28 \Driver\ACPI -> ACPI.sys @ 0xf735dcb8 \Driver\atapi -> atapi.sys @ 0xf724e852 IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0 user & kernel MBR OK ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasMandmadmin] "ImagePath"=" srv" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pduhrrju] . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > 'winlogon.exe'(452) c:\windows\system32\Ati2evxx.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Nero\Nero 7\InCD\InCDsrv.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\wbem\wmiapsrv.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Czas ukończenia: 2010-08-25 22:01:18 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2010-08-25 20:01 Przed: 43 606 548 480 bajtów wolnych Po: 44 889 767 936 bajtów wolnych - - End Of File - - 5A1C1C3F965B4C1F8B8C1AFEFBAFBBFE