ComboFix 12-10-04.01 - Jakub 2012-10-05 17:07:42.1.2 - x86 MINIMAL Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.48.1045.18.3070.2578 [GMT 2:00] Uruchomiony z: f:\programy do usuniecia wirusa\Combofix\ComboFix.exe AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF} FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4} SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\programdata\ajmnraui.exe c:\users\Jakub\AppData\Local\Minibar c:\users\Jakub\AppData\Local\Minibar\chrome\background.html c:\users\Jakub\AppData\Local\Minibar\chrome\cached_http_request.js c:\users\Jakub\AppData\Local\Minibar\chrome\extension_info.json c:\users\Jakub\AppData\Local\Minibar\chrome\icons\icon128.png c:\users\Jakub\AppData\Local\Minibar\chrome\icons\icon19.png c:\users\Jakub\AppData\Local\Minibar\chrome\icons\icon32.png c:\users\Jakub\AppData\Local\Minibar\chrome\icons\icon48.png c:\users\Jakub\AppData\Local\Minibar\chrome\includes\content.js c:\users\Jakub\AppData\Local\Minibar\chrome\includes\content_kango.js c:\users\Jakub\AppData\Local\Minibar\chrome\includes\content_messaging.js c:\users\Jakub\AppData\Local\Minibar\chrome\includes\content_userscript.js c:\users\Jakub\AppData\Local\Minibar\chrome\kango-ui\button.js c:\users\Jakub\AppData\Local\Minibar\chrome\kango-ui\ui.js c:\users\Jakub\AppData\Local\Minibar\chrome\kango\browser.js c:\users\Jakub\AppData\Local\Minibar\chrome\kango\console.js c:\users\Jakub\AppData\Local\Minibar\chrome\kango\event_listener.js c:\users\Jakub\AppData\Local\Minibar\chrome\kango\initialize.js c:\users\Jakub\AppData\Local\Minibar\chrome\kango\io.js c:\users\Jakub\AppData\Local\Minibar\chrome\kango\jsonstorage.js c:\users\Jakub\AppData\Local\Minibar\chrome\kango\kango.js c:\users\Jakub\AppData\Local\Minibar\chrome\kango\lang.js c:\users\Jakub\AppData\Local\Minibar\chrome\kango\messaging.js c:\users\Jakub\AppData\Local\Minibar\chrome\kango\userscript_engine.js c:\users\Jakub\AppData\Local\Minibar\chrome\kango\xhr.js c:\users\Jakub\AppData\Local\Minibar\chrome\main.js c:\users\Jakub\AppData\Local\Minibar\chrome\manifest.json c:\users\Jakub\AppData\Local\Minibar\chrome\minibar\actions.js c:\users\Jakub\AppData\Local\Minibar\chrome\minibar\cachedxhr.js c:\users\Jakub\AppData\Local\Minibar\chrome\minibar\config.js c:\users\Jakub\AppData\Local\Minibar\chrome\minibar\macros.js c:\users\Jakub\AppData\Local\Minibar\chrome\minibar\minibar.js c:\users\Jakub\AppData\Local\Minibar\chrome\popup.html c:\users\Jakub\AppData\Local\Minibar\chrome\popup.js c:\users\Jakub\AppData\Local\Minibar\chrome\tab.html c:\users\Jakub\AppData\Local\Minibar\chrome\tab.js c:\users\Jakub\AppData\Local\Minibar\chrome_installer.js c:\users\Jakub\AppData\Local\Minibar\common.js c:\users\Jakub\AppData\Local\Minibar\install.json c:\users\Jakub\AppData\Local\Minibar\minibar.crx c:\users\Jakub\AppData\Local\Minibar\sqlite3.exe c:\users\Jakub\AppData\Local\Minibar\Uninstall.exe c:\users\Jakub\ms.exe c:\windows\IsUn0415.exe c:\windows\pkunzip.pif c:\windows\pkzip.pif c:\windows\system32\AutoRun.inf c:\windows\system32\n.dll c:\windows\system32\URTTemp c:\windows\system32\URTTemp\regtlib.exe . . ((((((((((((((((((((((((( Pliki utworzone od 2012-09-05 do 2012-10-05 ))))))))))))))))))))))))))))))) . . 2012-10-05 14:19 . 2012-10-05 14:19 -------- d-----w- C:\found.003 2012-10-05 14:14 . 2012-10-05 14:14 4096 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS 2012-10-05 14:14 . 2012-10-05 14:14 24033 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS 2012-10-05 14:14 . 2012-10-05 14:14 23327 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS 2012-10-05 14:14 . 2012-10-05 14:14 20719 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS 2012-10-05 14:14 . 2012-10-05 14:14 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS 2012-10-05 14:14 . 2012-10-05 14:14 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS 2012-09-29 12:22 . 2012-09-29 12:22 -------- d-----w- c:\programdata\leyhzfwqmzmcfcn 2012-09-28 14:01 . 2012-09-28 14:01 782608 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-08-16 18:40 . 2011-04-08 18:54 139048 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2012-08-16 18:40 . 2011-04-09 15:33 282296 ----a-w- c:\windows\system32\PnkBstrB.xtr 2012-08-16 18:40 . 2011-04-08 18:53 282296 ----a-w- c:\windows\system32\PnkBstrB.exe 2012-08-16 18:38 . 2011-04-08 18:53 215128 ----a-w- c:\windows\system32\PnkBstrB.ex0 2012-08-13 09:30 . 2011-04-08 18:54 138056 ----a-w- c:\users\Jakub\AppData\Roaming\PnkBstrK.sys 2012-08-13 09:30 . 2012-04-13 16:15 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe 2012-08-06 18:53 . 2011-04-08 18:53 76888 ----a-w- c:\windows\system32\PnkBstrA.exe 2012-07-20 20:00 . 2012-07-20 20:00 2363392 ----a-r- c:\users\Jakub\AppData\Roaming\Microsoft\Installer\{E33DB440-A008-4928-8A4E-5FC5ADDED608}\soffice.exe 2012-07-11 09:15 . 2012-07-11 09:16 476936 ----a-w- c:\windows\system32\npdeployJava1.dll 2012-07-11 09:15 . 2012-02-19 12:52 472840 ----a-w- c:\windows\system32\deployJava1.dll 2012-07-14 00:15 . 2012-07-23 11:28 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952] "Akamai NetSession Interface"="c:\users\Jakub\AppData\Local\Akamai\netsession_win.exe" [2012-08-10 4440896] "Steam"="c:\program files\Steam\steam.exe" [2012-08-14 1353080] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928] "EADM"="c:\program files\Origin\Origin.exe" [2012-09-21 3341464] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-05-24 336384] "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "IsMyWinLockerReboot"="msiexec.exe" [2009-04-10 73216] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\fsproflt] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup backupExtension=.CommonStartup . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Symfonia® PDF.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Symfonia® PDF.lnk backup=c:\windows\pss\Symfonia® PDF.lnk.CommonStartup backupExtension=.CommonStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer] c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck] 2009-10-28 02:30 1701888 ----a-r- c:\program files\VIA\VIAudioi\VDeck\VDeck.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2007-03-11 20:34 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PKTray] 2010-12-06 12:59 242448 ----a-w- c:\program files\Przyspiesz Komputer\PKTray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sage Komunikator] 2010-11-15 13:45 247008 ----a-w- c:\program files\Sage\Komunikator\SageUpdt.exe . R2 .1293642005;1293642005;c:\program files\1293642005\Jakub1293642005L.exe [x] . . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache Akamai REG_MULTI_SZ Akamai . Zawartość folderu 'Zaplanowane zadania' . 2012-09-28 c:\windows\Tasks\ParetoLogic Registration3.job - c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2012-06-27 21:07] . 2012-10-05 c:\windows\Tasks\ParetoLogic Update Version3 Startup Task.job - c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2012-06-27 21:07] . 2012-07-23 c:\windows\Tasks\ParetoLogic Update Version3.job - c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2012-06-27 21:07] . 2012-07-23 c:\windows\Tasks\RegCure Pro.job - c:\program files\ParetoLogic\RegCure Pro\RegCurePro.exe [2012-08-27 20:23] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://mystart.incredibar.com/mb128?a=6PQAXjzL1C&i=26 mStart Page = hxxp://home.sweetim.com/?crg=3.1010000.10011 uInternet Settings,ProxyOverride = TCP: DhcpNameServer = 192.168.1.100 FF - ProfilePath - c:\users\Jakub\AppData\Roaming\Mozilla\Firefox\Profiles\vo5ke9gu.default\ FF - prefs.js: browser.search.defaulturl - FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/ FF - user.js: extentions.y2layers.installId - 87ba673f-8ee5-4d26-b902-c8c80e3c7abb FF - user.js: extentions.y2layers.defaultEnableAppsList - DropDownDeals,ezLooker,pagerage,buzzdock,toprelatedtopics,twittube FF - user.js: extensions.autoDisableScopes - 14 FF - user.js: extensions.incredibar_i.newTab - false FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6PQAXjzL1C&loc=IB_TB&i=26&search= FF - user.js: extensions.incredibar_i.id - 98a0714100000000000020cf30c18c98 FF - user.js: extensions.incredibar_i.instlDay - 15510 FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14 FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14 FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1416:43 FF - user.js: extensions.incredibar_i.prtnrId - Incredibar FF - user.js: extensions.incredibar_i.prdct - incredibar FF - user.js: extensions.incredibar_i.aflt - orgnl FF - user.js: extensions.incredibar_i.smplGrp - none FF - user.js: extensions.incredibar_i.tlbrId - base FF - user.js: extensions.incredibar_i.instlRef - FF - user.js: extensions.incredibar_i.dfltLng - FF - user.js: extensions.incredibar_i.excTlbr - false FF - user.js: extensions.incredibar_i.ms_url_id - FF - user.js: extensions.incredibar_i.upn2 - 6PQAXjzL1C FF - user.js: extensions.incredibar_i.upn2n - 92543087771524568 FF - user.js: extensions.incredibar_i.productid - 26 FF - user.js: extensions.incredibar_i.installerproductid - 26 FF - user.js: extensions.incredibar_i.did - 10658 FF - user.js: extensions.incredibar_i.ppd - . - - - - USUNIĘTO PUSTE WPISY - - - - . WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file) HKCU-Run-Norton Download Manager{NIS_prod_1.6.18_18.6.0.29} - c:\users\Public\Downloads\Norton\{NIS_prod_1.6.18_18.6.0.29}\NISDownloader.exe HKCU-Run-ajmnrauimkhvwgo - c:\programdata\ajmnraui.exe SafeBoot-WudfPf SafeBoot-WudfRd MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EADM\Core.exe MSConfigStartUp-MSF_Monitor - c:\progra~1\MYSECR~1\MSFMON.exe MSConfigStartUp-mylbx - c:\program files\My Lockbox\mylbx.exe MSConfigStartUp-Rubin - c:\users\Jakub\AppData\Local\Rubin\rubin.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-10-05 17:14 Windows 6.0.6002 Service Pack 2 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS] "ImagePath"="\"c:\program files\Norton Internet Security\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai] "ServiceDll"="c:\program files\common files\akamai/netsession_win_4f7fccd.dll" . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- . [HKEY_USERS\S-1-5-21-2977438242-1472954224-347982911-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:e4,43,98,f5,07,15,de,81,bc,55,91,6d,df,5d,70,9e,50,fb,17,5c,cc,19,ec, c2,11,e2,db,39,5a,67,a5,17,4c,7f,97,1f,b8,d8,dc,b3,46,c1,05,bb,f9,8e,bb,0b,\ "??"=hex:3f,eb,b2,a8,d5,51,4b,c2,1b,01,ec,08,0f,18,11,95 . [HKEY_USERS\S-1-5-21-2977438242-1472954224-347982911-1000\Software\SecuROM\License information*] "datasecu"=hex:88,92,28,b6,40,97,7b,90,bc,da,4d,c7,39,60,5f,c1,81,e0,95,61,f2, 59,63,bb,31,98,40,bf,52,24,d4,9d,07,aa,62,8e,fb,6b,7e,b4,5b,eb,32,de,40,03,\ "rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98 . Czas ukończenia: 2012-10-05 17:15:40 ComboFix-quarantined-files.txt 2012-10-05 15:15 . Przed: 47 260 782 592 bajtów wolnych Po: 47 660 089 344 bajtów wolnych . - - End Of File - - 8AE46B2C6E18DC4919AB4F7ED06019AD