ComboFix 12-03-04.02 - Piotr 2012-03-06 16:21:10.1.2 - x86 Uruchomiony z: c:\documents and settings\Piotr\Pulpit\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Piotr\Recent\Thumbs.db c:\documents and settings\Piotr\Ustawienia lokalne\Dane aplikacji\f9572d71\U c:\documents and settings\Piotr\Ustawienia lokalne\Dane aplikacji\f9572d71\U\80000000.@ c:\documents and settings\Piotr\Ustawienia lokalne\Dane aplikacji\f9572d71\U\800000cb.@ c:\documents and settings\Piotr\Ustawienia lokalne\Dane aplikacji\f9572d71\U\800000cf.@ c:\documents and settings\Piotr\winlogon.exe c:\windows\$NtUninstallKB11225$ c:\windows\$NtUninstallKB11225$\2164867718 c:\windows\$NtUninstallKB11225$\4183240049\@ c:\windows\$NtUninstallKB11225$\4183240049\L\booloxwq c:\windows\$NtUninstallKB11225$\4183240049\loader.tlb c:\windows\$NtUninstallKB11225$\4183240049\U\@00000001 c:\windows\$NtUninstallKB11225$\4183240049\U\@000000c0 c:\windows\$NtUninstallKB11225$\4183240049\U\@000000cb c:\windows\$NtUninstallKB11225$\4183240049\U\@000000cf c:\windows\$NtUninstallKB11225$\4183240049\U\@80000000 c:\windows\$NtUninstallKB11225$\4183240049\U\@800000c0 c:\windows\$NtUninstallKB11225$\4183240049\U\@800000cb c:\windows\$NtUninstallKB11225$\4183240049\U\@800000cf c:\windows\assembly\GAC_MSIL\desktop.ini c:\windows\pkunzip.pif c:\windows\pkzip.pif c:\windows\system32\dds_log_trash.cmd c:\windows\system32\shimg.dll c:\windows\system32\spmgr.dll c:\windows\XSxS . c:\windows\system32\drivers\afd.sys . . . jest zainfekowany!! . . . Failed to find a valid replacement. . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_AsIO -------\Service_AsIO . . ((((((((((((((((((((((((( Pliki utworzone od 2012-02-06 do 2012-03-06 ))))))))))))))))))))))))))))))) . . 2012-03-06 15:20 . 2008-04-14 20:41 65280 ----a-w- c:\windows\system32\drivers\serial.sys 2012-03-06 00:03 . 2012-03-06 12:18 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2012-03-01 06:42 . 2012-03-01 06:42 -------- d-----w- C:\spoolerlogs . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-10 14:24 . 2011-11-01 19:58 20464 ----a-w- c:\windows\system32\drivers\mbam.sys . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-08-16 2736128] "ALLUpdate"="c:\program files\ALLPlayer\ALLUpdate.exe" [2010-03-24 1432064] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nwiz"="nwiz.exe" [2009-06-10 1657376] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464] "HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-11-18 33697792] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920] "CorelDRAW Graphics Suite 11b"="c:\program files\Corel\Corel Graphics 12\Languages\PL\Programs\Registration.exe" [2004-06-22 733184] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888] "DataCardMonitor"="c:\program files\blueconnect\DataCardMonitor.exe" [2010-12-20 249856] "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2010-12-28 274608] "MacrokeyManager"="WTMKM.exe" [2009-04-22 3161760] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10x_ActiveX.exe" [2011-09-28 243360] . c:\documents and settings\Piotr\Menu Start\Programy\Autostart\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664] . c:\documents and settings\All Users\Menu Start\Programy\Autostart\ Exif Launcher 2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2010-11-15 294912] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:4d33c5abb9c9 . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\Starcraft\\StarCraft.exe"= "c:\\Program Files\\eMule\\emule.exe"= "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"= "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "c:\\Program Files\\Google\\Google SketchUp 7\\SketchUp.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\AVAST Software\\Avast\\AvastUI.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= . R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-11-27 435032] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-11-27 314456] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-11-27 20568] R2 WTService;WTService;c:\windows\system32\atwtusb.exe -s --> c:\windows\system32\atwtusb.exe -s [?] R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-10-21 1425280] S2 gupdate;Usługa Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-19 136176] S3 gupdatem;Usługa Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-19 136176] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-03-06 40776] S4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?] . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs MSSQL$MSSMLBIZ asp.net_1.1.4322 dirms_defragmentation mindretrieve aracpi MSICPL AsIO JiaoCap vmodem WmaCVideo32 sandrathesrv streamloadservice botcbs . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2010-08-16 12:43 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . Zawartość folderu 'Zaplanowane zadania' . 2012-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-19 11:31] . 2012-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-19 11:31] . 2012-03-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 10:33] . 2012-03-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1614895754-884357618-1801674531-1003.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 10:33] . 2012-02-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 10:33] . 2012-03-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1614895754-884357618-1801674531-1003.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 10:33] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://search.babylon.com/?AF=100478&babsrc=HP_ss&mntrId=2c8b900a000000000000485b39a63e13 uInternet Settings,ProxyOverride = *.local IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 94.251.160.14 94.251.182.11 FF - ProfilePath - c:\documents and settings\Piotr\Dane aplikacji\Mozilla\Firefox\Profiles\78ep00s2.default\ FF - prefs.js: browser.search.selectedEngine - FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/ FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?AF=100478&babsrc=adbartrp&mntrId=2c8b900a000000000000485b39a63e13&q= FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF FF - user.js: extensions.BabylonToolbar_i.id - 2c8b900a000000000000485b39a63e13 FF - user.js: extensions.BabylonToolbar_i.hardId - 2c8b900a000000000000485b39a63e13 FF - user.js: extensions.BabylonToolbar_i.instlDay - 15318 FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17 FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17 FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1721:33 FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar FF - user.js: extensions.BabylonToolbar_i.aflt - babsst FF - user.js: extensions.BabylonToolbar_i.smplGrp - none FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9 FF - user.js: extensions.BabylonToolbar_i.newTab - false FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100478 FF - user.js: extensions.BabylonToolbar_i.babExt - FF - user.js: extensions.BabylonToolbar_i.srcExt - ss FF - user.js: extensions.BabylonToolbar_i.instlRef - sst . - - - - USUNIĘTO PUSTE WPISY - - - - . HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-03-06 16:36 Windows 5.1.2600 Dodatek Service Pack 3 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . HKLM\Software\Microsoft\Windows\CurrentVersion\Run HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1???????????????????????????????????????????????? DataCardMonitor = c:\program files\blueconnect\DataCardMonitor.exe?32;c:\windows;c:\WINDOW?? ?????????????????????????????!???????????(???obe\AGL;c:\program files\QuickTime\QTSystem\?PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH?PROCESSOR_ARCHITECTURE=x86?PROCESS . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\nvsvc32.exe c:\program files\AVAST Software\Avast\AvastSvc.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\windows\system32\RUNDLL32.EXE c:\windows\system32\WTMKM.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\atwtusb.exe . ************************************************************************** . Czas ukończenia: 2012-03-06 16:39:48 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2012-03-06 15:39 . Przed: 8 465 608 704 bajtów wolnych Po: 10 043 559 936 bajtów wolnych . WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 82521BE7E40EEADC23A1911A33D01A0A