ComboFix 11-05-25.02 - Administrator 2011-05-26 11:07:09.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.502.259 [GMT 2:00] Uruchomiony z: c:\documents and settings\Administrator\Pulpit\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\autorun.inf c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\unins000.exe c:\documents and settings\Administrator\xmlUpdater.exe c:\documents and settings\Default User\xmlUpdater.exe c:\windows\Fonts\mlog c:\windows\system32\config\systemprofile\xmlUpdater.exe c:\windows\system32\msconfig.exe c:\windows\system32\szetyj67v.txt D:\autorun.inf . . ((((((((((((((((((((((((( Pliki utworzone od 2011-04-26 do 2011-05-26 ))))))))))))))))))))))))))))))) . . 2011-05-25 22:29 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys 2011-05-25 22:29 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2011-05-25 22:29 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2011-05-25 22:29 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2011-05-25 22:29 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2011-05-25 22:29 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2011-05-25 22:29 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys 2011-05-25 22:29 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2011-05-25 22:28 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr 2011-05-25 22:28 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe 2011-05-25 22:28 . 2011-05-25 22:28 -------- d-----w- c:\program files\AVAST Software 2011-05-25 22:28 . 2011-05-25 22:28 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\AVAST Software 2011-05-25 09:08 . 2011-05-25 09:08 -------- d-----w- c:\windows\system32\wbem\Repository 2011-05-25 09:07 . 2011-05-25 09:07 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Badoo 2011-05-10 21:09 . 2011-05-10 21:09 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\FastStone 2011-04-29 15:02 . 2011-04-29 15:02 -------- d-----w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\Temp 2011-04-29 14:54 . 2011-04-29 14:54 -------- d-----w- c:\program files\Common Files\Adobe AIR . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-04-05 19:46 . 2011-04-05 19:46 252256 ----a-r- c:\documents and settings\Administrator\Dane aplikacji\Microsoft\Installer\{6CD89E42-2052-48D4-A356-443EBFB9DF9D}\Icon_DjVuViewer.exe 2011-01-10 19:07 . 2011-01-10 21:22 252080 ----a-w- c:\program files\opera\program\plugins\dapop.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2008-07-22 . E88631E21A9CACA06104802F9E915115 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys . [-] 2008-07-22 13:23 . 9994E5A07D951FC1B0F5FB18501090FC . 1526784 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll . [-] 2008-07-22 . 8CD81261DA6BD4BCFBD857A25220A1FB . 689152 . . [5.82] . . c:\windows\system32\comctl32.dll [7] 2008-04-14 . 737739FACEAD60683AA8D7FF7602FD14 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll [7] 2001-08-23 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll . [-] 2008-07-22 . 5F1CCDF37F28A88D0473B0C9EA1E0D58 . 487424 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll . [-] 2008-07-22 . 808DE3BFBABD3737BF331661D919E32B . 893952 . . [7.00.6000.20815] . . c:\windows\system32\wininet.dll . [-] 2008-07-22 . B49A80A502FD86B2F05BC7BBD723DDAB . 1528832 . . [6.00.2900.5512] . . c:\windows\explorer.exe . [-] 2008-07-22 . 3122DAF86B33ED8AC4662D07593025D7 . 501760 . . [1.0626.6001.18000] . . c:\windows\system32\usp10.dll . . [-] 2008-07-22 . 0277E1A3E8B337555A45943808451981 . 40448 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe . . . [-] 2008-07-22 . 5FB59F2506787A7E036B7C2EFF1CCE24 . 2190208 . . [5.1.2600.5512] . . c:\windows\system32\ntoskrnl.exe . c:\windows\System32\wscntfy.exe ... - brak elementu !! c:\windows\System32\regsvc.dll ... - brak elementu !! . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}] 2011-01-10 19:07 141568 ----a-w- c:\progra~1\DAP\dapieloader.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VisualTaskTips"="c:\program files\Utilities\VisualTaskTips\VisualTaskTips.exe" [2007-09-05 36352] "Gadu-Gadu 10"="c:\program files\Gadu-Gadu 10\gg.exe" [2010-12-16 12984928] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072] "RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184] "DriveSpace"="c:\program files\Drive Space Indicator\DrvSpace.exe" [2008-07-20 395716] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288] "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "VisualTaskTips"="c:\program files\Utilities\VisualTaskTips\VisualTaskTips.exe" [2007-09-05 36352] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_3"="advpack.dll" [2008-07-22 124928] . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoResolveTrack"= 1 (0x1) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoResolveTrack"= 1 (0x1) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Badoo Desktop] 2011-03-31 18:46 1012224 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Badoo\Badoo Desktop\1.3.12.904\Badoo.Desktop.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= . R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-05-26 441176] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-05-26 307928] R1 vcdrom;Virtual CD-ROM Device Driver;c:\program files\System\CPL Bonus\vcdrom.sys [2010-10-19 8576] R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2007-12-06 660768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-05-26 19544] R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2010-11-04 38144] S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2010-11-04 235648] . --- Inne Usługi/Sterowniki w Pamięci --- . *NewlyCreated* - ASWSNX *NewlyCreated* - VCDROM . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.gazeta.pl/0,0.html?p=106 IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm IE: &Download with &DAP - c:\program files\DAP\dapextie.htm IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\Microsoft Office\Office12\EXCEL.EXE/3000 Trusted Zone: google.com\mail TCP: {31A37CB1-22EF-4F6B-9F50-B6BFEDB9B9A2} = 89.108.195.20 217.17.34.10 Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll FF - ProfilePath - c:\documents and settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\cdortjzn.default\ FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Download Accelerator Plus (DAP) extension: {F17C1572-C9EC-4e5c-A542-D05CBB5C5A08} - c:\program files\DAP\DAPFireFox . - - - - USUNIĘTO PUSTE WPISY - - - - . MSConfigStartUp-ALLUpdate - c:\program files\ALLPlayer\ALLUpdate.exe MSConfigStartUp-cdoosoft - c:\docume~1\ADMINI~1\USTAWI~1\Temp\herss.exe AddRemove-{81BF6353-3C5B-4E6E-A566-7E162A00BF72}_is1 - c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\unins000.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-26 11:14 Windows 5.1.2600 Dodatek Service Pack 3 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*] "OODEFRAG10.00.00.01WORKSTATION"="466F0F0678CAEF2B4E2DA0929CE48284884F5CB1250152653413FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808A2D97226D213B555BA7FD869164D6794A6A0AC4980AC7933657BB05C2B679D567E17C68ACFE943C91DCE4B2F20D44A672B92F900AEBA029179E2630E9A64302117DADF56459A2FF9F73CDF68E57BDD40E315FCA360E7E413BDF2E6F47582C0DC1B241AB13B32A831A10A68007142B9BBC27BD4C8138B7ABE3C3735BFCB2C291E6CE832FEB057DF067AB709A4CCAA8190C46CAA0FFE1CFA0B2C9F1FA32473D5BC23813EA29653955016A8BB0D78D5EBB81C747EA050B634B27E81C4D7F68CC8550CAC25045393A1AE3E22CBF2660BC3F12D029F26279A84B6D3941F1731D01648250BA110C0AB6C01EECD5B93FC35E8BE9369B4CD962C61590475F72134BCE7B822A046382D50F46D593C5DB01863CE6499E038CB28F2D1A199A56E3A54717B8E6B597471D9DB4DDCE15E1C1007497CEE44057755D59AF35B528775AA5A35A2781C8164347DCB1DFB9F8A34FB8CBB0E2B465593A792F2F614A164D2BC846EC0E2034AA2FA42429CBC61FA9641DEB6B02B8A34037D3FF01FA02C6922C0032BD106A3498D4A46059BD2A54F87B0AA5A2AC42FE98F1D362BC418CE25D10BFA1D61D63777DAA39BFE7B3922091FA10EE6501484A0D64A425ED454978E25F106979012A7339011463CB3AB3E8ECA6D9B468E7410E8CAD2A3E94FF4477B3351B01595B816BC8B1E436FCC2C18AB4DF05B80638A0D36B1820F53C7DED6AAE4897BB0388F54BA7B5C7FEFE6FEFE8C370F47C6643AE6DEA3AC2C40E7B5EFBAFB7EDCAD581D6A356461DCB4B22EF8C475ACCE6BB6B0BF9F10A816FDE9E86F3108963C6F642E939B9D44B0DD7787BB4AC233D56396596D17B751DE7B9F24E9F4F1BE77FE63D2C03DD1A1C5AD8E1AB6F8AF8FB2CCD2E6F9C8B18488CD6CDB25D3F2655F086EDF14CF021B5988E73D890DA135AF64CF51A29B65A58B2CC9471C7E1CFE39DDB26C656E82541F78040887AA51190D0E04CFD75C141A55F1C262FB08CD033F747055C094F9F6BCACFA59BAD6CBB47CCF7962C0B84CCDC420786AA9EA406D9BE47F3AE4A465AF4AF5F451DFFCF0062655514BB54575AE2D5A1FE23980FDBD71EB4601C564922E58CAB1D565EB778DA5EC3F1144F8C83057687E95F68BE5F655E943CE8B7C27A7E6C4828FF1D365D2880B08FAAEB0D3C800B5F289DF2FAA224FE3071290F81AD46DA14FEBDC4D995E52C3891B6A29F9F156D26D91A77552495E03B87AE4CDB77255C3101CB35244BDF954B1412007EE2CFEF2713F35C838FC72948F7B4BCF9FC17C3055943641E8026B1B8384AED2BD78916E97E8A17B8C50EF88DA4E3D374485B412BF0FD8DB6342841A" . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'winlogon.exe'(1976) c:\windows\system32\SETUPAPI.dll c:\windows\system32\sfc_os.dll . - - - - - - - > 'lsass.exe'(216) c:\windows\system32\scecli.dll c:\windows\system32\SETUPAPI.dll . Czas ukończenia: 2011-05-26 11:16:17 ComboFix-quarantined-files.txt 2011-05-26 09:16 . Przed: 12 000 727 040 bajtów wolnych Po: 12 221 108 224 bajtów wolnych . WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff . - - End Of File - - E05C859D08232102FE48BE4A6AA80825