Windows Vista Home premium
Oto log z combo fix
ComboFix 11-10-29.03 - Laptop 2011-10-29 13:09:42.1.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1250.48.1045.18.1022.456 [GMT 2:00]
Uruchomiony z: c:\users\Laptop\Desktop\ComboFix.exe
AV: avast! antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Utworzono nowy punkt przywracania
.
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\facemoods.com
c:\program files\facemoods.com\facemoods\1.4.8.1\bh\facemoods.dll
c:\program files\facemoods.com\facemoods\1.4.8.1\facemoods.crx
c:\program files\facemoods.com\facemoods\1.4.8.1\facemoods.png
c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodsApp.dll
c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodsEng.dll
c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodssrv.exe
c:\program files\facemoods.com\facemoods\1.4.8.1\uninstall.exe
c:\users\Laptop\AppData\Local\Bron.tok-14-1
c:\users\Laptop\AppData\Local\Bron.tok-14-10
c:\users\Laptop\AppData\Local\Bron.tok-14-11
c:\users\Laptop\AppData\Local\Bron.tok-14-12
c:\users\Laptop\AppData\Local\Bron.tok-14-13
c:\users\Laptop\AppData\Local\Bron.tok-14-14
c:\users\Laptop\AppData\Local\Bron.tok-14-15
c:\users\Laptop\AppData\Local\Bron.tok-14-16
c:\users\Laptop\AppData\Local\Bron.tok-14-17
c:\users\Laptop\AppData\Local\Bron.tok-14-18
c:\users\Laptop\AppData\Local\Bron.tok-14-19
c:\users\Laptop\AppData\Local\Bron.tok-14-2
c:\users\Laptop\AppData\Local\Bron.tok-14-20
c:\users\Laptop\AppData\Local\Bron.tok-14-21
c:\users\Laptop\AppData\Local\Bron.tok-14-22
c:\users\Laptop\AppData\Local\Bron.tok-14-23
c:\users\Laptop\AppData\Local\Bron.tok-14-24
c:\users\Laptop\AppData\Local\Bron.tok-14-25
c:\users\Laptop\AppData\Local\Bron.tok-14-26
c:\users\Laptop\AppData\Local\Bron.tok-14-27
c:\users\Laptop\AppData\Local\Bron.tok-14-28
c:\users\Laptop\AppData\Local\Bron.tok-14-29
c:\users\Laptop\AppData\Local\Bron.tok-14-3
c:\users\Laptop\AppData\Local\Bron.tok-14-30
c:\users\Laptop\AppData\Local\Bron.tok-14-31
c:\users\Laptop\AppData\Local\Bron.tok-14-4
c:\users\Laptop\AppData\Local\Bron.tok-14-5
c:\users\Laptop\AppData\Local\Bron.tok-14-6
c:\users\Laptop\AppData\Local\Bron.tok-14-7
c:\users\Laptop\AppData\Local\Bron.tok-14-8
c:\users\Laptop\AppData\Local\Bron.tok-14-9
c:\users\Laptop\AppData\Local\csrss.exe
c:\users\Laptop\AppData\Local\inetinfo.exe
c:\users\Laptop\AppData\Local\Kosong.Bron.Tok.txt
c:\users\Laptop\AppData\Local\lsass.exe
c:\users\Laptop\AppData\Local\services.exe
c:\users\Laptop\AppData\Local\smss.exe
c:\users\Laptop\AppData\Local\winlogon.exe
c:\users\Laptop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif
c:\users\Laptop\AppData\Roaming\Microsoft\Windows\Templates\Brengkolang.com
c:\windows\BerasJatah.exe
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\shellnew\sempalong.exe
c:\windows\system32\Laptop’s Setting.scr
.
Zainfekowana kopia c:\windows\system32\userinit.exe została znaleziona. Problem naprawiono
Plik odzyskano z - c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
.
.
((((((((((((((((((((((((( Pliki utworzone od 2011-09-28 do 2011-10-29 )))))))))))))))))))))))))))))))
.
.
2011-10-29 11:21 . 2011-10-29 11:21 0 —ha-w- c:\users\Laptop\AppData\Local\BITE14A.tmp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{ce18769b-c7fa-42d2-860d-17c4662c70ad}”= “c:\program files\Babylon-English\tbBaby.dll” [2010-06-13 2734688]
.
[HKEY_CLASSES_ROOT\clsid{ce18769b-c7fa-42d2-860d-17c4662c70ad}]
.
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{ce18769b-c7fa-42d2-860d-17c4662c70ad}]
2010-06-13 17:10 2734688 ----a-w- c:\program files\Babylon-English\tbBaby.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{ce18769b-c7fa-42d2-860d-17c4662c70ad}”= “c:\program files\Babylon-English\tbBaby.dll” [2010-06-13 2734688]
.
[HKEY_CLASSES_ROOT\clsid{ce18769b-c7fa-42d2-860d-17c4662c70ad}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
“{CE18769B-C7FA-42D2-860D-17C4662C70AD}”= “c:\program files\Babylon-English\tbBaby.dll” [2010-06-13 2734688]
.
[HKEY_CLASSES_ROOT\clsid{ce18769b-c7fa-42d2-860d-17c4662c70ad}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“swg”=“c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2010-08-07 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“StartCCC”=“c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 90112]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“EnableUIADesktopToggle”= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“aux1”=wdmaud.drv
.
[HKLM~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth Monitor.lnk
backup=c:\windows\pss\Bluetooth Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM~\startupfolder\C:^Users^Laptop^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Empty.pif]
path=c:\users\Laptop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif
backup=c:\windows\pss\Empty.pif.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
2009-02-05 20:08 81000 ----a-w- c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2010-08-10 15:40 3824056 ----a-w- c:\program files\Babylon\Babylon-Pro\Babylon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu 10]
2010-07-21 23:24 12477024 ----a-w- c:\program files\Gadu-Gadu 10\gg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPLA!]
2010-06-21 08:23 16218112 ----a-w- c:\program files\ipla\ipla.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 14:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ORAHSSSessionManager]
2008-06-10 09:14 107248 ----a-w- c:\program files\Livebox\SessionManager\SessionManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 17:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-21 02:23 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2008-01-21 02:23 215552 ----a-w- c:\windows\WindowsMobile\wmdSync.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2006-12-22 449536]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;e:\ewerest\EVEREST Ultimate Edition 55\kerneld.wnt [x]
R3 PCAMp50;PCAMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\PCAMp50.sys [2006-11-28 28224]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 gupdate;Usługa Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 135664]
R4 gupdatem;Usługa Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 135664]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-02-05 51792]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Zawartość folderu ‘Zaplanowane zadania’
.
2011-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 13:26]
.
2011-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 13:26]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://search.babylon.com/home?AF=14542
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Funkcja Google Sidewiki - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
TCP: Interfaces{8969DEA7-D206-4FDB-89C7-B489AA1D539E}: NameServer = 8.8.8.8
.
-
-
-
- USUNIĘTO PUSTE WPISY - - - -
-
-
.
MSConfigStartUp-facemoods - c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodssrv.exe
AddRemove-facemoods - c:\program files\facemoods.com\facemoods\1.4.8.1\uninstall.exe
.
.
.
**************************************************************************
skanowanie ukrytych procesów …
.
skanowanie ukrytych wpisów autostartu …
.
skanowanie ukrytych plików …
.
skanowanie pomyślnie ukończone
ukryte pliki:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EverestDriver]
“ImagePath”="??\e:\ewerest\EVEREST Ultimate Edition 55\kerneld.wnt"
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\progra~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\conime.exe
.
**************************************************************************
.
Czas ukończenia: 2011-10-29 13:29:18 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2011-10-29 11:28
.
Przed: 19 059 744 768 bajtów wolnych
Po: 19 467 517 952 bajtów wolnych
.
-
- End Of File - - 0D1C594EC02FC9DECCC146FBD40AF64E
Narazie skanuje Malwarebytes później wkleje logi.