ComboFix 12-07-16.01 - jacek 2012-07-18 7:45.2.1 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.2047.1757 [GMT 2:00] Uruchomiony z: c:\documents and settings\jacek\Pulpit\ComboFix.exe Użyto następujących komend :: c:\documents and settings\jacek\Pulpit\CFScript.txt AV: Kaspersky Anti-Virus *Disabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0} . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\BOS c:\bos\bos.exe c:\bos\din.exe . . ((((((((((((((((((((((((( Pliki utworzone od 2012-06-18 do 2012-07-18 ))))))))))))))))))))))))))))))) . . 2012-07-17 15:55 . 2012-07-17 15:56 -------- d-----w- c:\program files\trend micro 2012-07-17 15:54 . 2012-07-17 15:56 -------- d-----w- C:\rsit 2012-07-17 06:42 . 2012-07-17 06:42 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll 2012-07-17 06:42 . 2012-07-17 06:42 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll 2012-07-17 04:46 . 2012-07-17 04:46 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Installations . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-07-14 06:48 . 2012-04-07 05:47 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-07-14 06:48 . 2011-06-11 13:01 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-05-09 22:01 . 2012-05-09 22:01 170080 ----a-w- c:\windows\system32\drivers\snapman.sys 2012-07-17 06:42 . 2011-05-09 16:22 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{51a86bb3-6602-4c85-92a5-130ee4864f13}"= "c:\program files\BrotherSoft_Extreme\prxtbBro0.dll" [2011-05-09 176936] "{d43723ae-1ae1-4a25-a6a4-bf0929273cab}"= "c:\program files\Ashampoo_PO\prxtbAsha.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{51a86bb3-6602-4c85-92a5-130ee4864f13}] . [HKEY_CLASSES_ROOT\clsid\{d43723ae-1ae1-4a25-a6a4-bf0929273cab}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51a86bb3-6602-4c85-92a5-130ee4864f13}] 2011-05-09 09:49 176936 ----a-w- c:\program files\BrotherSoft_Extreme\prxtbBro0.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d43723ae-1ae1-4a25-a6a4-bf0929273cab}] 2011-05-09 08:49 176936 ----a-w- c:\program files\Ashampoo_PO\prxtbAsha.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{51a86bb3-6602-4c85-92a5-130ee4864f13}"= "c:\program files\BrotherSoft_Extreme\prxtbBro0.dll" [2011-05-09 176936] "{d43723ae-1ae1-4a25-a6a4-bf0929273cab}"= "c:\program files\Ashampoo_PO\prxtbAsha.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{51a86bb3-6602-4c85-92a5-130ee4864f13}] . [HKEY_CLASSES_ROOT\clsid\{d43723ae-1ae1-4a25-a6a4-bf0929273cab}] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{51A86BB3-6602-4C85-92A5-130EE4864F13}"= "c:\program files\BrotherSoft_Extreme\prxtbBro0.dll" [2011-05-09 176936] "{D43723AE-1AE1-4A25-A6A4-BF0929273CAB}"= "c:\program files\Ashampoo_PO\prxtbAsha.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{51a86bb3-6602-4c85-92a5-130ee4864f13}] . [HKEY_CLASSES_ROOT\clsid\{d43723ae-1ae1-4a25-a6a4-bf0929273cab}] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gadu-Gadu 10"="c:\program files\Gadu-Gadu 10\gg.exe" [2010-07-21 12477024] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "V0230Mon.exe"="c:\windows\V0230Mon.exe" [2006-09-07 32768] "RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-02-16 87336] "PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2008-10-13 50472] "PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008] "DT LGE"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-11 81920] "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208] "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096] "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992] "WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2008-03-06 241664] "WOOWATCH"="c:\progra~1\Wanadoo\Watch.exe" [2002-12-09 20480] "WOOTASKBARICON"="c:\progra~1\Wanadoo\TaskbarIcon.exe" [2002-12-09 45056] "AdslTaskBar"="stmctrl.dll" [2008-04-23 167936] "InstantAccess"="c:\program files\ScannerU\TBRIDGE\BIN\InstantAccess.exe" [1998-07-08 37376] "RegisterDropHandler"="c:\program files\ScannerU\TBRIDGE\BIN\RegisterDropHandler.exe" [1998-07-08 22528] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] "EaseUs Watch"="c:\program files\EaseUS\Todo Backup\bin\EuWatch.exe" [2011-12-22 70792] "EaseUs Tray"="c:\program files\EaseUS\Todo Backup\bin\TrayNotify.exe" [2011-12-26 743560] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\prwntdrv] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Action Manager 32.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Action Manager 32.lnk backup=c:\windows\pss\Action Manager 32.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^BDARemote.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\BDARemote.lnk backup=c:\windows\pss\BDARemote.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^jacek^Menu Start^Programy^Autostart^MagicDisc.lnk] path=c:\documents and settings\jacek\Menu Start\Programy\Autostart\MagicDisc.lnk backup=c:\windows\pss\MagicDisc.lnkStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] 2005-05-03 20:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] 2004-08-03 23:44 15360 ------w- c:\windows\system32\ctfmon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] 2006-08-03 04:12 577536 ----a-w- c:\windows\soundman.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics] 2002-06-06 09:15 861184 ----a-w- c:\program files\Alcatel\SpeedTouch USB\dragdiag.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SRS Audio Sandbox] 2010-03-20 18:01 3215360 ----a-w- c:\program files\SRS Labs\Audio Sandbox\SRSSSC.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] 2006-11-10 10:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "SwitchBoard"=3 (0x3) . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Documents and Settings\\All Users\\Dane aplikacji\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\Polish\\setup.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD Cinema\\PowerDVDCinema.exe"= "c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD9.exe"= "c:\\Program Files\\Gadu-Gadu 10\\gg.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "f:\\Vsk5Online\\Vsk5Online.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Opera\\opera.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "f:\\World_of_Tanks\\WOTLauncher.exe"= "f:\\World_of_Tanks\\WorldOfTanks.exe"= "c:\\Program Files\\EaseUS\\Todo Backup\\bin\\Agent.exe"= "c:\\Program Files\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service . R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2012-05-03 50312] R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2009-12-01 40368] R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-06-09 11352] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-05-07 32856] R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2011-01-02 27632] R3 Stmatm;ATM/ADSL miniport;c:\windows\system32\drivers\stmatm.sys [2011-05-25 60533] S0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [2012-05-03 43784] S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2009-11-17 691696] S1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2012-05-03 16008] S1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [2012-05-03 185864] S2 BulkUsb;Plustek USB Scanner;c:\windows\system32\drivers\usbscan.sys [2011-06-13 15104] S2 EaseUS Agent;EaseUS Agent;c:\program files\EaseUS\Todo Backup\bin\Agent.exe [2012-05-03 61064] S2 Guard Agent;Guard Agent;c:\program files\EaseUS\Todo Backup\bin\GuardAgent.exe [2012-05-03 23176] S2 gupdate;Usługa Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-08 135664] S2 Wybór systemu operacyjnego;Aktywator programu Acronis OS Selector;c:\program files\Acronis\DiskDirector\OSS\reinstall_svc.exe [2010-07-05 2155736] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 250056] S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2011-01-02 13224] S3 gupdatem;Usługa Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-08 135664] S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-02 19472] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-16 113120] S3 prwntdrv;prwntdrv;c:\windows\system32\prwntdrv.sys [2012-05-09 13064] S3 TaurusUsb;Siemens ADSL Modem USB Service;c:\windows\system32\drivers\torususb.sys [2011-05-25 688864] S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [2009-11-26 6272] S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [2009-11-26 500608] S4 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096] . Zawartość folderu 'Zaplanowane zadania' . 2012-07-17 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 06:48] . 2012-07-17 c:\windows\Tasks\AdobeAAMUpdater-1.0-JACEK-I2XXWE9M7-jacek.job - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-08-11 01:44] . 2012-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-08 10:04] . 2012-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-08 10:04] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.fr uInternet Settings,ProxyOverride = *.local IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 TCP: Interfaces\{284FF4D2-2F21-4F0D-8D01-87FB6EFCB84C}: NameServer = 192.168.1.1 DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\jacek\Dane aplikacji\Mozilla\Firefox\Profiles\yg3fzps3.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2776682&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/ . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-07-18 07:50 Windows 5.1.2600 Dodatek Service Pack 2 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2f073ca8-2747-45d5-9a9f-3cb1fa449a0a}] @Denied: (Full) (Everyone) "Model"=dword:00000129 "Therad"=dword:0000001b . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}] @Denied: (Full) (Everyone) "scansk"=hex(0):5e,0b,48,64,64,28,09,7c,e4,42,1f,84,80,ad,be,2a,05,89,e8,2a,cc, da,cf,57,71,21,ba,a2,80,d1,a7,cf,7e,5e,40,81,90,52,80,f1,00,00,00,00,00,00,\ . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6de9be50-61ad-4ef2-a602-83f4406055cc}] @Denied: (Full) (Everyone) "Model"=dword:0000016a "Therad"=dword:00000015 "MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a, 1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\ . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}] @Denied: (Full) (Everyone) "scansk"=hex(0):11,d2,1f,aa,6b,c7,6d,57,fc,20,e7,92,c3,55,8f,da,51,8a,0b,ab,3b, b3,5a,b5,55,ba,99,7a,f2,42,64,42,d8,c9,02,a0,e7,95,e3,ff,00,00,00,00,00,00,\ . [HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\ACPI\PNP0F13\4&26dd0f47&0\LogConf] @DACL=(02 0000) "BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00, 00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\ "BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00, 00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff . [HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_09da&Pid_024f&MI_01&Col01\7&14b76e39&0&0000\LogConf] @DACL=(02 0000) . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'winlogon.exe'(772) c:\windows\system32\Ati2evxx.dll c:\windows\system32\atiadlxx.dll . Czas ukończenia: 2012-07-18 07:52:26 ComboFix-quarantined-files.txt 2012-07-18 05:52 ComboFix2.txt 2012-07-17 14:27 . Przed: 20 098 711 552 bajtów wolnych Po: 20 085 641 216 bajtów wolnych . WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn . - - End Of File - - CB00AC30D1C3EB141C79CF4AE0E662DE