ComboFix 12-03-18.04 - wqw 2012-03-20 22:19:26.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2046.1691 [GMT 1:00] Uruchomiony z: c:\documents and settings\wqw\Pulpit\ComboFix.exe . UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !! . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\wqw\Dane aplikacji\PriceGong c:\documents and settings\wqw\Dane aplikacji\PriceGong\Data\mru.xml c:\documents and settings\wqw\Ustawienia lokalne\Dane aplikacji\72fa0318\U c:\documents and settings\wqw\Ustawienia lokalne\Dane aplikacji\72fa0318\U\80000000.@ c:\documents and settings\wqw\Ustawienia lokalne\Dane aplikacji\72fa0318\U\800000cb.@ c:\documents and settings\wqw\Ustawienia lokalne\Dane aplikacji\72fa0318\U\800000cf.@ c:\documents and settings\wqw\Ustawienia lokalne\Dane aplikacji\Gameztar Toolbar c:\program files\StartSearch plugin c:\program files\StartSearch plugin\IEhelperActiveX.dll c:\program files\StartSearch plugin\StartBar.dll c:\program files\StartSearch plugin\uninst.exe c:\program files\StartSearch plugin\vshareplg.crx c:\windows\$NtUninstallKB36381$ c:\windows\$NtUninstallKB36381$\1928987416\@ c:\windows\$NtUninstallKB36381$\1928987416\L\xmhodzdk c:\windows\$NtUninstallKB36381$\1928987416\loader.tlb c:\windows\$NtUninstallKB36381$\1928987416\U\@00000001 c:\windows\$NtUninstallKB36381$\1928987416\U\@000000c0 c:\windows\$NtUninstallKB36381$\1928987416\U\@000000cb c:\windows\$NtUninstallKB36381$\1928987416\U\@000000cf c:\windows\$NtUninstallKB36381$\1928987416\U\@80000000 c:\windows\$NtUninstallKB36381$\1928987416\U\@800000c0 c:\windows\$NtUninstallKB36381$\1928987416\U\@800000cb c:\windows\$NtUninstallKB36381$\1928987416\U\@800000cf c:\windows\$NtUninstallKB36381$\2333208628 c:\windows\dasetup.log c:\windows\system32\{85ccb53b-23d8-4e73-b1b7-9ddb71827d9b}.dll c:\windows\system32\cygserver.dll c:\windows\system32\dds_log_ad13.cmd . Zainfekowana kopia c:\windows\system32\drivers\afd.sys została znaleziona. Problem naprawiono Plik odzyskano z - The cat found it :) . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_ip_fw -------\Legacy_clr_optimization_v2.0.50215_32 -------\Legacy_konfig -------\Legacy_sgeclient -------\Service_clr_optimization_v2.0.50215_32 -------\Service_konfig -------\Service_sgeclient . . ((((((((((((((((((((((((( Pliki utworzone od 2012-02-20 do 2012-03-20 ))))))))))))))))))))))))))))))) . . 2012-03-20 21:26 . 2012-03-20 21:26 -------- d-----w- c:\windows\system32\wbem\snmp 2012-03-20 10:28 . 2012-03-20 10:28 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-03-19 15:20 . 2012-03-19 15:20 -------- d-----w- c:\documents and settings\wqw\Dane aplikacji\Malwarebytes 2012-03-19 15:20 . 2012-03-19 15:20 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Malwarebytes 2012-03-19 15:20 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-03-18 21:05 . 2012-03-20 21:24 -------- d-sh--w- c:\documents and settings\wqw\Ustawienia lokalne\Dane aplikacji\72fa0318 . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-03-13 04:38 . 2012-03-19 15:05 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}"= "c:\program files\IncrediMail_MediaBar_2\tbIncr.dll" [2010-09-12 3863136] . [HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}] 2010-09-12 14:02 3863136 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}] 2010-09-12 14:02 3863136 ----a-w- c:\program files\IncrediMail_MediaBar_2\tbIncr.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}"= "c:\program files\IncrediMail_MediaBar_2\tbIncr.dll" [2010-09-12 3863136] "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-09-12 3863136] . [HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}] . [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0}"= "c:\program files\IncrediMail_MediaBar_2\tbIncr.dll" [2010-09-12 3863136] "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-09-12 3863136] . [HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}] . [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2007-02-15 2471472] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-26 8462336] "nwiz"="nwiz.exe" [2007-06-26 1626112] "NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2007-06-26 81920] "RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344] "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880] "WLSS"="c:\program files\Compal\Wireless Select Switch\WLSS.exe" [2007-04-23 190000] "ACU"="c:\program files\Atheros\ACU.exe" [2007-05-03 376921] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 69216] "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "Malwarebytes' Anti-Malware"="d:\programy\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_2"="shell32" [X] "nltide_3"="advpack.dll" [2009-04-29 124928] . c:\documents and settings\wqw\Menu Start\Programy\Autostart\ OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008] . c:\documents and settings\All Users\Menu Start\Programy\Autostart\ Microsoft Office.lnk - d:\programy\Office\Office\OSA9.EXE [1999-2-17 65588] Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308] . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "d:\\Programy\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\CyberLink\\Power2Go\\Power2GoExpress.exe"= . R?2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [2011-02-02 18656] R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2008-08-28 9856] R2 MBAMService;MBAMService;d:\programy\Malwarebytes' Anti-Malware\mbamservice.exe [2012-03-19 652360] R2 MSSQL$ELFADP;MSSQL$ELFADP;d:\programy\Design Program\MSSQL$ELFADP\Binn\sqlservr.exe -sELFADP --> d:\programy\Design Program\MSSQL$ELFADP\Binn\sqlservr.exe -sELFADP [?] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-03-19 20464] S?2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] S3 SQLAgent$ELFADP;SQLAgent$ELFADP;d:\programy\Design Program\MSSQL$ELFADP\Binn\sqlagent.EXE -i ELFADP --> d:\programy\Design Program\MSSQL$ELFADP\Binn\sqlagent.EXE -i ELFADP [?] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504] . NETSVCS WYMAGA NAPRAWY - pokazano aktualnie istniejące wpisy 6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto savscan acnusvc utilman ASNDIS5 alertmanager backupexecdevicemediaservice tvtfilter ac97intc backupclientsvc ziptoa bcm43xx Wtcls2k symevent pptchpad mfeapfk bmwebcfg NICSer_WPC300N fasttraksvc {a7447300-8075-4b0d-83f1-3d75c8ebc623} epsonbidirectionalservice pdiddcci cdfsvc YahooAUService mwspollserver carboniteservice pchost advantage dlbu_device AsIO dcpflics bwcsrv mwsarcpkt btaudio w810mgmt lxcd_device dnetc mcnasvc backupexecjobengine TPM hpci elosystemservice ppmoucls smtpd32 ScFBPNT3 vmodem Alpham2 GMSIPCI SQLAgent$MICROSOFTBCM GameConsoleService vrfwsvc FreshIO raysatxsi5_0server s217obex sdcoreservice CYGF32X tifm21 pcampr5 teefer ssm_bus PSSdk23 nipxirmu grmnusb konfig mssql$sony_mediamgr vpcvmm id2scaps snareiis nvstor64 SMNDIS5 ser2plms CSRBC sgeclient WinDriver6 SE2Bmdm allegro ASDR TICalc hpqcxs08 datasvr avg7updsvc Spsmqvsm pivot LEX_AS_NIC_SERVICE_YNOS nimdbgk OVT511Plus akshasp pcscnsrv clr_optimization_v2.0.50215_32 se44obex LHidFilt SED133x avg7alrt patrol_scheduler mcrdsvc vcomm videX32 Udfreadr_xp s117bus efs thpsrv lusbaudio klblmain pdlnatcm nbservice interactivelogon w200mdfl sgectl cq_mem GTPTSER NxSysMon z525mdfl lxce_device Shockprf sfilter LMouKE jukebox3 pcx1nd5 Mvc25U870_VID_1262&PID_25FD clisvc hidir pnarp lightscribeservice ha10kx2k AVCamUSB20 PAR1284 a8djusb SaiU040B DellAMBrokerService inorpc autocomplete ss_bus FETNDIS AppnBase DXEC02 retrolauncher P16X ROB_V intelroam sis162u cwafeventrouter GTWModem sfdrv01 Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov napagent hkmsvc BITS wuauserv ShellHWDetection helpsvc WmdmPmSN . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs . . Zawartość folderu 'Zaplanowane zadania' . 2011-07-12 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 13:42] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.pl/ mStart Page = hxxp://www.google.com IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 TCP: DhcpNameServer = 192.168.10.1 FF - ProfilePath - c:\documents and settings\wqw\Dane aplikacji\Mozilla\Firefox\Profiles\fizlhfu4.default\ FF - prefs.js: browser.startup.homepage - google.pl . . ------- Skojarzenia plików ------- . .scr=AutoCADScriptFile . - - - - USUNIĘTO PUSTE WPISY - - - - . HKLM-Run-KTPWare - c:\program files\Elantech\ktp.exe AddRemove-001FFF1FFF14FF00FF1801F02F02F000-R1 - f:\archicad14\Uninstall.AC\uninstaller.exe AddRemove-LiveVDO plugin - c:\program files\StartSearch plugin\uninst.exe AddRemove-Winamp Toolbar for Firefox - c:\documents and settings\wqw\Dane aplikacji\Mozilla\Firefox\Profiles\fizlhfu4.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\uninstall.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-03-20 22:28 Windows 5.1.2600 Dodatek Service Pack 3 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'explorer.exe'(1456) c:\windows\system32\AcSignIcon.dll c:\windows\system32\msi.dll c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll c:\windows\system32\wpdshserviceobj.dll c:\windows\system32\portabledevicetypes.dll c:\windows\system32\portabledeviceapi.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\acs.exe c:\windows\system32\RUNDLL32.EXE c:\windows\RTHDCPL.EXE c:\program files\OpenOffice.org 3\program\soffice.exe c:\program files\OpenOffice.org 3\program\soffice.bin d:\programy\Design Program\MSSQL$ELFADP\Binn\sqlservr.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\PnkBstrA.exe c:\program files\CyberLink\Shared Files\RichVideo.exe c:\windows\system32\imapi.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Czas ukończenia: 2012-03-20 22:29:24 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2012-03-20 21:28 . Przed: 30 266 314 752 bajtów wolnych Po: 35 920 678 912 bajtów wolnych . - - End Of File - - 64A663C4A520565033B549A3C4C8C782