ComboFix 09-07-07.A4 - Dorota 2009-07-08 10:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.48.1045.18.3583.3030 [GMT 2:00]
Uruchomiony z: c:\documents and settings\Dorota\Pulpit\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090707-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ArcaFirewall 2007 *enabled* {B640009B-6FF6-4CA7-9CE8-7DA160B95A5B}
* Utworzono nowy punkt przywracania
.
((((((((((((((((((((((((( Pliki utworzone od 2009-06-08 do 2009-07-08 )))))))))))))))))))))))))))))))
.
2009-07-08 08:28 . 2009-07-08 08:28 -------- d-----w- c:\program files\CodeStuff
2009-07-01 08:46 . 2009-06-14 18:06 142336 ----a-w- c:\windows\system32\issch.exe
2009-07-01 08:46 . 2009-07-01 08:46 -------- d-----w- c:\program files\Microsoft Studio
2009-07-01 08:42 . 2009-07-01 08:42 -------- d-----w- C:\ProgramData
2009-07-01 08:42 . 2009-07-01 08:42 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Electronic Arts
2009-06-30 18:54 . 2008-09-04 18:17 447752 ----a-r- c:\windows\system32\vp6vfw.dll
2009-06-30 18:54 . 2009-06-30 18:54 10134 ----a-r- c:\documents and settings\Dorota\Dane aplikacji\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-30 18:54 . 2009-06-30 18:54 -------- d-----w- c:\program files\Microsoft WSE
2009-06-30 18:41 . 2009-06-30 19:49 -------- d-----w- c:\program files\Electronic Arts
2009-06-28 09:14 . 2008-07-31 08:41 238088 ----a-w- c:\windows\system32\xactengine3_2.dll
2009-06-28 09:14 . 2008-07-31 08:41 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll
2009-06-28 09:14 . 2008-07-31 08:40 509448 ----a-w- c:\windows\system32\XAudio2_2.dll
2009-06-28 09:14 . 2008-07-12 06:18 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2009-06-28 09:14 . 2008-07-12 06:18 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2009-06-28 09:14 . 2008-07-12 06:18 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2009-06-28 09:11 . 2009-06-28 09:11 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\DAEMON Tools Lite
2009-06-28 09:11 . 2009-06-28 09:11 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-06-28 09:08 . 2009-06-28 09:08 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-28 09:08 . 2009-06-28 09:13 -------- d-----w- c:\documents and settings\Dorota\Dane aplikacji\DAEMON Tools Lite
2009-06-24 02:06 . 2009-06-24 02:06 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-22 18:47 . 2009-07-07 06:55 -------- d-----w- c:\program files\Nowe Gadu-Gadu
2009-06-15 14:00 . 2009-07-06 06:22 299008 ----a-w- c:\windows\system32\miccyhook.dll
2009-06-11 15:56 . 2009-06-11 15:56 152576 ----a-w- c:\documents and settings\Dorota\Dane aplikacji\Sun\Java\jre1.6.0_13\lzma.dll
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 00:45 . 2009-02-22 11:48 2134024 ----a-w- c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat
2009-07-07 13:41 . 2009-04-13 20:00 -------- d-----w- c:\documents and settings\Dorota\Dane aplikacji\Nowe Gadu-Gadu
2009-06-30 18:41 . 2009-02-08 19:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-11 15:56 . 2009-02-08 22:10 -------- d-----w- c:\program files\Java
2009-06-04 09:58 . 2009-06-04 09:14 -------- d-----w- c:\program files\nLite
2009-06-04 09:49 . 2009-06-04 09:49 -------- d-----w- c:\documents and settings\Dorota\Dane aplikacji\U3
2009-06-02 14:25 . 2009-06-02 14:25 286720 ----a-w- c:\windows\iun506.exe
2009-06-02 06:15 . 2009-06-02 06:15 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\TomTom
2009-06-02 06:14 . 2009-06-02 06:14 -------- d-----w- c:\documents and settings\Dorota\Dane aplikacji\TomTom
2009-06-02 06:14 . 2009-06-02 06:14 -------- d-----w- c:\program files\TomTom International B.V
2009-06-02 06:14 . 2009-06-02 06:14 -------- d-----w- c:\program files\TomTom HOME 2
2009-06-02 06:11 . 2009-06-02 06:11 -------- d-----w- c:\program files\TomTom DesktopSuite
2009-05-28 09:23 . 2009-05-28 09:23 42088 ----a-w- c:\documents and settings\Dorota\Dane aplikacji\Nowe Gadu-Gadu\_userdata\ggbho.1.dll
2009-05-28 08:34 . 2009-05-28 08:34 11264 ----a-w- c:\documents and settings\Dorota\Dane aplikacji\Nowe Gadu-Gadu\_userdata\npgg.1.dll
2009-04-28 09:05 . 2009-04-28 08:55 32 ----a-w- c:\windows\system87sG.dat
2009-04-21 22:20 . 2009-04-21 22:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-21 22:20 . 2009-04-21 22:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"TBPanel"="c:\program files\Vtune\TBPanel.exe" [2008-07-10 2154496]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-01-24 2289664]
"RGSC"="c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [2009-02-22 306088]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-24 251240]
"DAEMON Tools Lite"="d:\daemon tools lite\daemon.exe" [2009-04-23 691656]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]
"Nowe Gadu-Gadu"="c:\program files\Nowe Gadu-Gadu\gg.exe" [2009-05-28 10486376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-11-07 176128]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-29 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"issch"="c:\windows\system32\issch.exe" [2009-06-14 142336]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-06-15 1826816]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-02-08 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-02-08 20560]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2009-04-24 92008]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.szybko-szukaj.pl
mStart Page = hxxp://www.yahoo.com
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dorota\Dane aplikacji\Mozilla\Firefox\Profiles\oyovwe8g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl
FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl
FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl
FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl
FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl
FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl
FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl
FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl
FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl
FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl
FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl
FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl
FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl
FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl
FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl
FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl
FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl
FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl
FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Dorota\Dane aplikacji\Nowe Gadu-Gadu\_userdata\npgg.1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
---- FIREFOX - SPOSÓB POSTĘPOWANIA ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 10:44
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
c:\docume~1\Dorota\USTAWI~1\Temp\Perflib_Perfdata_f7c.dat 16384 bytes
skanowanie pomyślnie ukończone
ukryte pliki: 1
**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
[HKEY_USERS\S-1-5-21-1844237615-515967899-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:79,28,f1,a8,2f,64,81,17,c1,c5,4c,08,fb,20,8b,eb,ee,86,41,6e,19,
11,b2,cd,6b,c9,23,da,4e,31,b9,5d,89,31,80,e0,e0,94,cd,35,3a,6b,86,58,e0,4e,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
- - - - - - - > 'explorer.exe'(3556)
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Czas ukończenia: 2009-07-08 10:45
ComboFix-quarantined-files.txt 2009-07-08 08:44
Przed: 225 521 319 936 bajtów wolnych
Po: 225 618 243 584 bajtów wolnych
WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
220 --- E O F --- 2009-02-10 22:49
Powyzej zamieszczam LOG z ConboFixa. Moim problemem jest ciagla zmiana strony startowej na strone “szybko-szukaj.pl”. Oprocz tego wystepuja tez inne problemy z przegladarkami, ale mysle, ze wynikaja z tego samego proglemu. Prosze o szybka pomoc. Z gory dziekuje i pozdrawiam - Olek.