ComboFix 12-09-24.03 - Ja 2012-09-25  20:05:22.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1250.48.1045.18.2046.1195 [GMT 2:00]
Uruchomiony z: c:\users\Ja\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB61398$
c:\windows\system32\DEBUG.log
.
Zainfekowana kopia c:\windows\system32\drivers\netbt.sys została znaleziona. Problem naprawiono 
Plik odzyskano z - The cat found it :) 
.
(((((((((((((((((((((((((   Pliki utworzone od 2012-08-25 do 2012-09-25  )))))))))))))))))))))))))))))))
.
.
2012-09-25 18:18 . 2012-09-25 18:22	--------	d-----w-	c:\users\Ja\AppData\Local\temp
2012-09-25 18:18 . 2012-09-25 18:18	--------	d-----w-	c:\users\Public\AppData\Local\temp
2012-09-25 18:18 . 2012-09-25 18:18	--------	d-----w-	c:\users\Default\AppData\Local\temp
2012-09-25 15:47 . 2012-09-25 15:47	466008	----a-w-	c:\windows\system32\drivers\sptd.sys
2012-09-25 15:15 . 2012-09-25 15:15	--------	d-----w-	c:\program files\Common Files\Skype
2012-09-25 03:55 . 2012-08-30 08:17	6980552	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{46B8ACAF-730F-4CF8-B5C7-9DE9B815C2F7}\mpengine.dll
2012-09-03 15:11 . 2012-09-03 15:11	--------	d-sh--w-	c:\windows\system32\%APPDATA%
.
.
.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-20 22:34 . 2012-04-04 08:43	696240	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-09-20 22:34 . 2011-07-25 15:01	73136	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-05 11:22 . 2012-07-05 11:02	235	----a-w-	c:\windows\system32\nxEuUninstall.bat
2012-07-04 14:02 . 2012-08-15 05:13	2047488	----a-w-	c:\windows\system32\win32k.sys
2012-09-25 09:36 . 2012-09-25 09:36	266720	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 09:06	163328	--sha-r-	c:\windows\System32\flvDX.dll
2007-02-21 10:47	31232	--sha-r-	c:\windows\System32\msfDX.dll
2008-03-16 12:30	216064	--sha-r-	c:\windows\System32\nbDX.dll
.
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\Ja\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 172568]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-11-28 296056]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-06-11 641704]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
c:\users\Ja\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Facebook Messenger.lnk - c:\users\Ja\AppData\Local\Facebook\Messenger\2.1.4631.0\FacebookMessenger.exe [2012-9-5 247728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51	919008	----a-w-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhilipsDM]
2009-12-12 16:45	40960	----a-w-	c:\program files\Philips\SA43xx\Philips Device Manager\bin\LaunchDM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 09:07	252296	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-11-28 00:15	296056	----a-w-	c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-70149214-1339082029-3386996294-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
{6080a529-897e-4629-a488-aba0c29b635e}
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 08:14	451872	----a-w-	c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Zawartość folderu 'Zaplanowane zadania'
.
2012-09-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 22:34]
.
2012-09-24 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-70149214-1339082029-3386996294-1000Core.job
- c:\users\Ja\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-06-30 22:42]
.
2012-09-25 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-70149214-1339082029-3386996294-1000UA.job
- c:\users\Ja\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-06-30 22:42]
.
2012-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-10 13:41]
.
2012-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-10 13:41]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://arkowcy.pl/
mStart Page = hxxp://www.google.com
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 217.172.224.160 89.231.1.206
FF - ProfilePath - c:\users\Ja\AppData\Roaming\Mozilla\Firefox\Profiles\wev3esra.default\
FF - prefs.js: browser.search.defaulturl - 
FF - prefs.js: browser.startup.homepage - hxxp://www.onet.pl/
.
- - - - USUNIĘTO PUSTE WPISY - - - -
.
HKLM-Run-ROC_roc_ssl_v12 - c:\program files\AVG Secure Search\ROC_roc_ssl_v12.exe
SafeBoot-12356984.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-25 20:24
Windows 6.0.6002 Service Pack 2 NTFS
.
skanowanie ukrytych procesów ...  
.
skanowanie ukrytych wpisów autostartu ... 
.
skanowanie ukrytych plików ...  
.
skanowanie pomyślnie ukończone
ukryte pliki: 0
.
**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5}"=hex:51,66,7a,6c,4c,1d,38,12,55,e2,d0,
   7e,f8,75,36,04,cc,26,b5,2d,be,5d,85,a1
"{32099AAC-C132-4136-9E9A-4E364A424E17}"=hex:51,66,7a,6c,4c,1d,38,12,c2,99,1a,
   36,00,8f,58,04,e1,8c,0d,76,4f,1c,0a,03
"{EEE6C35B-6118-11DC-9C72-001320C79847}"=hex:51,66,7a,6c,4c,1d,38,12,35,c0,f5,
   ea,2a,2f,b2,54,e3,64,43,53,25,99,dc,53
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
   1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{3049C3E9-B461-4BC5-8870-4C09146192CA}"=hex:51,66,7a,6c,4c,1d,38,12,87,c0,5a,
   34,53,fa,ab,0e,f7,66,0f,49,11,3f,d6,de
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
   72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{78F3A323-798E-4AEA-9A57-88F4B05FD5DD}"=hex:51,66,7a,6c,4c,1d,38,12,4d,a0,e0,
   7c,bc,37,84,0f,e5,41,cb,b4,b5,01,91,c9
"{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,
   aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
   df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{EEE6C35C-6118-11DC-9C72-001320C79847}"=hex:51,66,7a,6c,4c,1d,38,12,32,c0,f5,
   ea,2a,2f,b2,54,e3,64,43,53,25,99,dc,53
"{F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D}"=hex:51,66,7a,6c,4c,1d,38,12,6c,7c,df,
   f1,7c,21,0c,01,ca,a7,7a,0a,52,a3,7a,19
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
   fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
   b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:11,ef,9b,5d,36,2f,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,95,b7,f6,f9,2e,ab,87,4f,84,3d,89,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,95,b7,f6,f9,2e,ab,87,4f,84,3d,89,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\atiesrxx.exe
c:\windows\system32\AUDIODG.EXE
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\conime.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\NOTEPAD.EXE
.
**************************************************************************
.
Czas ukończenia: 2012-09-25  20:31:43 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt  2012-09-25 18:31
.
Przed: 145 370 988 544 bajtów wolnych
Po: 147 545 776 128 bajtów wolnych
.
- - End Of File - - 97F2410C17A9C07402ED9AE5E16BB08E