ComboFix 09-03-23.01 - Adi 2009-03-25 21:17:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.767.375 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Adi\Pulpit\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*
* Utworzono nowy punkt przywracania
.
((((((((((((((((((((((((( Pliki utworzone od 2009-02-25 do 2009-03-25 )))))))))))))))))))))))))))))))
.
2009-04-03 19:43 . 2009-04-03 19:43
2009-03-25 18:16 . 2009-03-25 18:16 77 —hs---- c:\documents and settings\Desktop.ini
2009-03-23 19:48 . 2009-03-24 17:28
2009-03-21 18:01 . 2009-03-21 18:01 5,120 --ahs---- c:\windows\system32\Thumbs.db
2009-03-21 17:59 . 2009-03-25 17:08 9,216 --ahs---- c:\windows\Thumbs.db
2009-03-21 11:08 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe
2009-03-18 19:21 . 2004-11-03 09:00 434,176 --------- c:\windows\system32_setupu.exe
2009-03-15 13:18 . 2009-03-15 13:18 481 --a------ c:\windows\eReg.dat
2009-03-09 19:28 . 2009-03-09 19:28
2009-03-08 18:17 . 2009-03-08 18:36 4,482 --a------ c:\windows\BricoPackFoldersDelete.cmd
2009-03-06 12:49 . 2009-03-06 12:49
2009-03-06 10:20 . 2008-08-14 14:46 2,137,600 -----c— c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-06 10:19 . 2008-08-14 14:46 2,181,632 -----c— c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-06 10:19 . 2008-08-14 14:46 2,059,008 -----c— c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-06 10:19 . 2008-08-14 14:46 2,017,280 -----c— c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-06 09:48 . 2009-03-06 09:48
2009-03-06 09:26 . 2008-06-14 19:01 273,024 --------- c:\windows\system32\drivers\bthport.sys
2009-03-06 09:26 . 2008-06-14 19:01 273,024 -----c— c:\windows\system32\dllcache\bthport.sys
2009-03-05 17:35 . 2009-03-11 19:00
2009-02-27 17:04 . 2009-03-20 10:36 2,321,408 --a------ c:\windows\system32\TUKernel.exe
2009-02-26 18:54 . 2009-02-26 18:54
2009-02-26 16:55 . 2009-02-26 16:55
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 17:46 --------- d-----w c:\program files\Kalendarz XP
2009-03-21 17:47 --------- d-----w c:\documents and settings\Adi\Dane aplikacji\Skype
2009-03-21 16:59 --------- d-----w c:\program files\TransItal
2009-03-21 16:59 --------- d-----w c:\program files\Real Alternative
2009-03-18 17:59 --------- d-----w c:\program files\TuneUp Utilities 2008
2009-03-16 16:29 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Microsoft Help
2009-03-08 17:36 76,507 ----a-w c:\windows\BricoPackUninst.cmd
2009-03-08 16:50 --------- d–h--w c:\program files\InstallShield Installation Information
2009-03-06 08:40 --------- d-----w c:\program files\Nowe Gadu-Gadu
2009-02-23 16:13 361,728 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-02-23 16:13 --------- d-----w c:\documents and settings\Adi\Dane aplikacji\TuneUp Software
2009-02-23 16:12 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\TuneUp Software
2009-02-23 16:11 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-22 13:57 --------- d-----w c:\documents and settings\Adi\Dane aplikacji\Nowe Gadu-Gadu
2009-02-21 13:47 --------- d-----w c:\program files\Skype
2009-02-21 13:36 --------- d-----w c:\program files\SubEdit-Player
2009-02-21 08:39 --------- d-----w c:\documents and settings\Adi\Dane aplikacji\Ahead
2009-02-20 15:58 --------- d-----w c:\documents and settings\Adi\Dane aplikacji\Winamp
2009-02-20 15:51 --------- d-----w c:\program files\English Translator 1.7
2009-02-20 10:43 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Bluetooth
2009-02-20 10:39 --------- d-----w c:\program files\IVT Corporation
2009-02-20 10:18 --------- d-----w c:\program files\ivo
2009-02-20 10:15 --------- d-----w c:\program files\Foxit Software
2009-02-20 10:15 --------- d-----w c:\documents and settings\Adi\Dane aplikacji\Foxit
2009-02-20 09:59 --------- d-----w c:\program files\PC Camera
2009-02-19 20:57 --------- d-----w c:\program files\Common Files\Ahead
2009-02-19 20:55 --------- d-----w c:\program files\Nero
2009-02-19 20:55 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Nero
2009-02-19 20:09 --------- d-----w c:\program files\Winamp
2009-02-19 19:55 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-19 19:55 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-19 19:53 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\UDL
2009-02-19 19:52 --------- d-----w c:\program files\epson
2009-02-19 19:47 --------- d-----w c:\documents and settings\Adi\Dane aplikacji\InstallShield
2009-02-19 19:46 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\EPSON
2009-02-19 19:37 --------- d-----w c:\program files\MSBuild
2009-02-19 19:37 --------- d-----w c:\program files\Microsoft Works
2009-02-19 19:30 --------- d-----w c:\program files\DAEMON Tools Lite
2009-02-19 19:30 --------- d-----w c:\documents and settings\Adi\Dane aplikacji\DAEMON Tools
2009-02-19 19:27 715,248 ----a-w c:\windows\system32\drivers\sptd.sys
2009-02-19 19:17 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-02-19 19:17 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-02-19 19:17 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-19 19:17 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-19 19:17 --------- d-----w c:\program files\Windows Sidebar
2009-02-19 19:17 --------- d-----w c:\program files\Symantec
2009-02-19 19:17 --------- d-----w c:\program files\Norton Internet Security
2009-02-19 19:17 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Norton
2009-02-19 19:16 --------- d-----w c:\program files\NortonInstaller
2009-02-19 19:16 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\NortonInstaller
2009-02-19 19:01 219,648 ----a-w c:\windows\system32\uxtheme.dll
2009-02-19 18:53 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\IconTweaker
2009-02-19 18:53 --------- d-----w c:\documents and settings\Adi\Dane aplikacji\IconTweaker
2009-02-19 18:10 --------- d-----w c:\program files\ATI Technologies
2009-02-19 17:26 --------- d-----w c:\program files\microsoft frontpage
2009-02-19 17:25 --------- d-----w c:\program files\Usługi online
2009-02-09 14:19 1,846,528 ----a-w c:\windows\system32\win32k.sys
2009-01-15 01:05 902,656 ----a-w c:\windows\system32\wininet.dll
2009-01-15 01:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 01:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 01:03 72,704 ----a-w c:\windows\system32\admparse.dll
2009-01-15 01:03 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-01-15 01:03 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-01-15 01:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 01:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-15 01:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-15 00:50 156,160 ----a-w c:\windows\system32\msls31.dll
2008-09-15 07:32 558,551 --sha-r c:\program files\Norton2009Reset.exe
.
------- Sigcheck -------
2004-08-04 00:44 693248 7d46293106e58ca7878509ccc4071f2f c:\windows\ie8\wininet.dll
2009-01-15 02:05 902656 8a11276d3ea94ad90e75ac5856eb1b67 c:\windows\system32\wininet.dll
2009-01-15 02:05 902656 8a11276d3ea94ad90e75ac5856eb1b67 c:\windows\system32\dllcache\wininet.dll
2007-06-13 14:23 976896 e74ef52c79f3347a0b105b0b92bfed38 c:\windows\explorer.exe
2007-06-13 14:12 1034752 8db0650b211425b9cdb7d1c4a8f6b482 c:\windows$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 00:44 975872 196c130d31317fe53de984220b5e13b9 c:\windows$NtUninstallKB938828$\explorer.exe
2007-06-13 14:23 976896 e74ef52c79f3347a0b105b0b92bfed38 c:\windows\system32\dllcache\explorer.exe
2008-10-16 14:09 66584 2275f45e257d46e6500558b2930cb9a4 c:\windows\system32\wuauclt.exe
2008-10-16 14:09 66584 2275f45e257d46e6500558b2930cb9a4 c:\windows\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“TuneUp MemOptimizer”=“c:\program files\TuneUp Utilities 2008\MemOptimizer.exe” [2008-08-27 154368]
“RocketDock”=“c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe” [2007-03-18 630784]
“ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Kalendarz XP”=“c:\program files\Kalendarz XP\Kalendarz.exe” [2007-05-06 1194496]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2004-08-04 15360]
c:\documents and settings\Adi\Menu Start\Programy\Autostart\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784]
c:\documents and settings\All Users\Menu Start\Programy\Autostart\
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-09-20 1200128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“msacm.iac2”= d:\instal~1\midtown\Indeo\Iac25_32.ax
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe”
“EPSON Stylus DX4400 Series”=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU “c:\windows\TEMP\E_SAB.tmp” /EF “HKCU”
“RocketDock”=“c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe”
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“nForce Tray Options”=sstray.exe /r
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusOverride”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=
“c:\Program Files\Microsoft Office\Office12\GROOVE.EXE”=
“c:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”=
“c:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe”=
“c:\Program Files\Skype\Phone\Skype.exe”=
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [2008-08-26 110128]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2008-08-26 17328]
R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1002000.007\BHDrvx86.sys [2009-02-26 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1002000.007\cchpx86.sys [2009-02-26 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090318.001\IDSxpx86.sys [2009-03-23 276344]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2009-02-26 115560]
R3 CAM1210;USB video camera;c:\windows\system32\drivers\cam1210.sys [2007-02-14 92416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-25 101936]
S2 .norton2009Reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [2008-10-01 558551]
S3 EraserUtilDrvI7;EraserUtilDrvI7;??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{343923ce-0d8b-11de-9c01-914a6d5a5b4c}]
\Shell\AutoRun\command - G:\gi2ky.exe
\Shell\open\Command - G:\gi2ky.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
“c:\windows\system32\rundll32.exe” “c:\windows\system32\iedkcs32.dll”,BrandIEActiveSetup SIGNUP
.
Zawartość folderu ‘Zaplanowane zadania’
2009-03-25 c:\windows\Tasks\Konserwacja jednym kliknięciem.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-08-27 12:09]
2009-03-25 c:\windows\Tasks\User_Feed_Synchronization-{1E99CB5E-B580-4BC8-BF84-5156DFFBC0FD}.job
- c:\windows\system32\msfeedssync.exe [2009-01-15 02:01]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.pl/
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {6C7F9B56-6682-4CFD-BC4D-A858B4270735} = 213.158.199.1 213.158.199.5
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-25 21:19:13
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
“ImagePath”="“c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe” /s “Norton Internet Security” /m “c:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll” /prefetch:1"
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
c:\windows\system32\Ati2evxx.dll
.
Czas ukończenia: 2009-03-25 21:20:20
ComboFix-quarantined-files.txt 2009-03-25 20:20:18
Przed: 19 192 877 056 bajtów wolnych
Po: 22,039,535,616 bajtów wolnych
WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /noexecute=optin /fastdetect /TUTag=K4B46C /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional (TuneUp Backup)” /noexecute=optin /fastdetect /TUTag=K4B46C-BAK
212 — E O F — 2009-03-15 11:30:15