ComboFix 12-02-23.01 - Admin 2012-02-25   7:38.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1250.48.1045.18.2037.1724 [GMT 1:00]
Uruchomiony z: c:\users\Admin\Desktop\Nowy folder\ComboFix.exe
AV: AntiVir Desktop *Enabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Enabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
 * Utworzono nowy punkt przywracania
.
.
(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Roaming
c:\programdata\Roaming\Intel\Wireless\Settings\Settings.ini
c:\windows\$NtUninstallKB29254$
c:\windows\$NtUninstallKB29254$\2865632958
c:\windows\$NtUninstallKB29254$\4142695594\@
c:\windows\$NtUninstallKB29254$\4142695594\cfg.ini
c:\windows\$NtUninstallKB29254$\4142695594\Desktop.ini
c:\windows\$NtUninstallKB29254$\4142695594\L\ogejidap
.
Zainfekowana kopia c:\windows\system32\drivers\cdrom.sys została znaleziona. Problem naprawiono 
Plik odzyskano z - The cat found it :) 
 c:\windows\system32\drivers\afd.sys . . . brak pliku!!
.
.
(((((((((((((((((((((((((   Pliki utworzone od 2012-01-25 do 2012-02-25  )))))))))))))))))))))))))))))))
.
.
2012-02-25 06:47 . 2012-02-25 06:49	--------	d-----w-	c:\users\Admin\AppData\Local\temp
2012-02-24 17:57 . 2010-04-27 14:19	1214976	----a-w-	c:\windows\system32\drivers\athr.sys
2012-02-24 09:23 . 2010-03-25 09:08	105984	----a-w-	c:\windows\system32\drivers\ewusbmdm.sys
2012-02-24 09:23 . 2010-03-20 11:06	11136	----a-w-	c:\windows\system32\drivers\ew_usbenumfilter.sys
2012-02-24 09:23 . 2010-03-20 10:56	101504	----a-w-	c:\windows\system32\drivers\ewusbdev.sys
2012-02-24 09:23 . 2010-03-20 09:28	116736	----a-w-	c:\windows\system32\drivers\ewusbnet.sys
2012-02-24 09:23 . 2010-03-17 13:33	861696	----a-w-	c:\windows\system32\drivers\mod7700.sys
2012-02-24 09:23 . 2007-08-09 03:06	23424	----a-w-	c:\windows\system32\drivers\ewdcsc.sys
2012-02-24 09:22 . 2012-02-24 09:23	--------	d-----w-	c:\program files\PLAY ONLINE
2012-02-23 17:36 . 2012-02-23 17:36	--------	d-----w-	c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2012-02-20 16:22 . 2011-11-28 18:01	41184	----a-w-	c:\windows\avastSS.scr
2012-02-20 16:22 . 2012-02-23 15:48	--------	d-----w-	c:\program files\AVAST Software
2012-02-20 16:22 . 2012-02-20 16:22	--------	d-----w-	c:\programdata\AVAST Software
2012-02-18 13:23 . 2012-02-21 15:16	0	--sha-w-	c:\windows\system32\dds_trash_log.cmd
2012-02-16 14:36 . 2011-12-14 16:17	680448	----a-w-	c:\windows\system32\msvcrt.dll
2012-02-16 14:36 . 2012-01-12 19:52	2044416	----a-w-	c:\windows\system32\win32k.sys
2012-01-28 21:34 . 2012-01-28 21:34	--------	d-----w-	c:\programdata\PC Tools
2012-01-28 21:34 . 2012-01-28 21:34	--------	d-----w-	c:\users\Admin\AppData\Roaming\Product_RM
.
.
.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 19673736]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-03 4702208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SSDMonitor"="c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2010-08-05 104408]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 133656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28	1233920	----a-w-	c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38	1008184	----a-w-	c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4116904073-3438038410-1597625619-1000]
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork	REG_MULTI_SZ   	PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
regmanserv
acmservice
cisvc
cpqrcmc
rsvchost
ASMMAP
dvd_2K
.
Zawartość folderu 'Zaplanowane zadania'
.
2012-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 17:33]
.
2012-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 17:33]
.
2012-02-22 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2010-12-29 07:46]
.
2011-05-09 c:\windows\Tasks\User_Feed_Synchronization-{0388C9A5-8FE7-4F90-8023-F34E10850BFA}.job
- c:\windows\system32\msfeedssync.exe [2011-05-27 23:23]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://onet.pl/
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 85.219.212.253 85.219.244.253
TCP: Interfaces\{a934ccd0-ecd9-4c27-adaf-220e6a2c7193}: NameServer = 192.168.1.1
DPF: {F6D13A55-3261-4E6F-8BCC-AB18FF8291BC} - hxxp://www.delight3d.com/delight3d_1.4.cab
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dnjmd72n.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - USUNIĘTO PUSTE WPISY - - - -
.
URLSearchHooks-{5c81f57f-3cf7-4785-b4ef-11ace31aec4f} - (no file)
WebBrowser-{5C81F57F-3CF7-4785-B4EF-11ACE31AEC4F} - (no file)
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-25 07:51
Windows 6.0.6002 Service Pack 2 NTFS
.
skanowanie ukrytych procesów ...  
.
skanowanie ukrytych wpisów autostartu ... 
.
skanowanie ukrytych plików ...  
.
skanowanie pomyślnie ukończone
ukryte pliki: 0
.
**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
.
- - - - - - - > 'Explorer.exe'(620)
c:\program files\WinRAR\rarext.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Czas ukończenia: 2012-02-25  07:55:30 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt  2012-02-25 06:55
.
Przed: 3 300 130 816 bajtów wolnych
Po: 3 187 548 160 bajtów wolnych
.
- - End Of File - - C7CF54F1EC8035D57429FED3BD2ADE04