"Szybko-szukaj.pl" logi z ConboFix


(Nasio1) #1
ComboFix 09-07-07.A4 - Dorota 2009-07-08 10:43.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1250.48.1045.18.3583.3030 [GMT 2:00]

Uruchomiony z: c:\documents and settings\Dorota\Pulpit\ComboFix.exe

AV: avast! antivirus 4.8.1335 [VPS 090707-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: ArcaFirewall 2007 *enabled* {B640009B-6FF6-4CA7-9CE8-7DA160B95A5B}

 * Utworzono nowy punkt przywracania

.


((((((((((((((((((((((((( Pliki utworzone od 2009-06-08 do 2009-07-08 )))))))))))))))))))))))))))))))

.


2009-07-08 08:28 . 2009-07-08 08:28	--------	d-----w-	c:\program files\CodeStuff

2009-07-01 08:46 . 2009-06-14 18:06	142336	----a-w-	c:\windows\system32\issch.exe

2009-07-01 08:46 . 2009-07-01 08:46	--------	d-----w-	c:\program files\Microsoft Studio

2009-07-01 08:42 . 2009-07-01 08:42	--------	d-----w-	C:\ProgramData

2009-07-01 08:42 . 2009-07-01 08:42	--------	d-----w-	c:\documents and settings\All Users\Dane aplikacji\Electronic Arts

2009-06-30 18:54 . 2008-09-04 18:17	447752	----a-r-	c:\windows\system32\vp6vfw.dll

2009-06-30 18:54 . 2009-06-30 18:54	10134	----a-r-	c:\documents and settings\Dorota\Dane aplikacji\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe

2009-06-30 18:54 . 2009-06-30 18:54	--------	d-----w-	c:\program files\Microsoft WSE

2009-06-30 18:41 . 2009-06-30 19:49	--------	d-----w-	c:\program files\Electronic Arts

2009-06-28 09:14 . 2008-07-31 08:41	238088	----a-w-	c:\windows\system32\xactengine3_2.dll

2009-06-28 09:14 . 2008-07-31 08:41	68616	----a-w-	c:\windows\system32\XAPOFX1_1.dll

2009-06-28 09:14 . 2008-07-31 08:40	509448	----a-w-	c:\windows\system32\XAudio2_2.dll

2009-06-28 09:14 . 2008-07-12 06:18	467984	----a-w-	c:\windows\system32\d3dx10_39.dll

2009-06-28 09:14 . 2008-07-12 06:18	1493528	----a-w-	c:\windows\system32\D3DCompiler_39.dll

2009-06-28 09:14 . 2008-07-12 06:18	3851784	----a-w-	c:\windows\system32\D3DX9_39.dll

2009-06-28 09:11 . 2009-06-28 09:11	--------	d-----w-	c:\documents and settings\All Users\Dane aplikacji\DAEMON Tools Lite

2009-06-28 09:11 . 2009-06-28 09:11	--------	d-----w-	c:\program files\DAEMON Tools Toolbar

2009-06-28 09:08 . 2009-06-28 09:08	721904	----a-w-	c:\windows\system32\drivers\sptd.sys

2009-06-28 09:08 . 2009-06-28 09:13	--------	d-----w-	c:\documents and settings\Dorota\Dane aplikacji\DAEMON Tools Lite

2009-06-24 02:06 . 2009-06-24 02:06	--------	d-----w-	c:\windows\system32\wbem\Repository

2009-06-22 18:47 . 2009-07-07 06:55	--------	d-----w-	c:\program files\Nowe Gadu-Gadu

2009-06-15 14:00 . 2009-07-06 06:22	299008	----a-w-	c:\windows\system32\miccyhook.dll

2009-06-11 15:56 . 2009-06-11 15:56	152576	----a-w-	c:\documents and settings\Dorota\Dane aplikacji\Sun\Java\jre1.6.0_13\lzma.dll


.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-08 00:45 . 2009-02-22 11:48	2134024	----a-w-	c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat

2009-07-07 13:41 . 2009-04-13 20:00	--------	d-----w-	c:\documents and settings\Dorota\Dane aplikacji\Nowe Gadu-Gadu

2009-06-30 18:41 . 2009-02-08 19:22	--------	d--h--w-	c:\program files\InstallShield Installation Information

2009-06-11 15:56 . 2009-02-08 22:10	--------	d-----w-	c:\program files\Java

2009-06-04 09:58 . 2009-06-04 09:14	--------	d-----w-	c:\program files\nLite

2009-06-04 09:49 . 2009-06-04 09:49	--------	d-----w-	c:\documents and settings\Dorota\Dane aplikacji\U3

2009-06-02 14:25 . 2009-06-02 14:25	286720	----a-w-	c:\windows\iun506.exe

2009-06-02 06:15 . 2009-06-02 06:15	--------	d-----w-	c:\documents and settings\All Users\Dane aplikacji\TomTom

2009-06-02 06:14 . 2009-06-02 06:14	--------	d-----w-	c:\documents and settings\Dorota\Dane aplikacji\TomTom

2009-06-02 06:14 . 2009-06-02 06:14	--------	d-----w-	c:\program files\TomTom International B.V

2009-06-02 06:14 . 2009-06-02 06:14	--------	d-----w-	c:\program files\TomTom HOME 2

2009-06-02 06:11 . 2009-06-02 06:11	--------	d-----w-	c:\program files\TomTom DesktopSuite

2009-05-28 09:23 . 2009-05-28 09:23	42088	----a-w-	c:\documents and settings\Dorota\Dane aplikacji\Nowe Gadu-Gadu\_userdata\ggbho.1.dll

2009-05-28 08:34 . 2009-05-28 08:34	11264	----a-w-	c:\documents and settings\Dorota\Dane aplikacji\Nowe Gadu-Gadu\_userdata\npgg.1.dll

2009-04-28 09:05 . 2009-04-28 08:55	32	----a-w-	c:\windows\system87sG.dat

2009-04-21 22:20 . 2009-04-21 22:20	14311680	----a-w-	c:\windows\system32\xlive.dll

2009-04-21 22:20 . 2009-04-21 22:20	13642496	----a-w-	c:\windows\system32\xlivefnt.dll

.


((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  

REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"TBPanel"="c:\program files\Vtune\TBPanel.exe" [2008-07-10 2154496]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-01-24 2289664]

"RGSC"="c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [2009-02-22 306088]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-24 251240]

"DAEMON Tools Lite"="d:\daemon tools lite\daemon.exe" [2009-04-23 691656]

"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]

"Nowe Gadu-Gadu"="c:\program files\Nowe Gadu-Gadu\gg.exe" [2009-05-28 10486376]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-11-07 176128]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-29 30248]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 46632]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"issch"="c:\windows\system32\issch.exe" [2009-06-14 142336]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]

"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-06-15 1826816]


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=

"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=

"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=


R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-02-08 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-02-08 20560]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2009-04-24 92008]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://www.szybko-szukaj.pl

mStart Page = hxxp://www.yahoo.com

IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Dorota\Dane aplikacji\Mozilla\Firefox\Profiles\oyovwe8g.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl

FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl

FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl

FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl

FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl

FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl

FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl

FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl

FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl

FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl

FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl

FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl

FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl

FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl

FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl

FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl

FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl

FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl

FF - prefs.js: browser.startup.homepage - hxxp://www.szybko-szukaj.pl

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - plugin: c:\documents and settings\Dorota\Dane aplikacji\Nowe Gadu-Gadu\_userdata\npgg.1.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}


---- FIREFOX - SPOSÓB POSTĘPOWANIA ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.


**************************************************************************


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-08 10:44

Windows 5.1.2600 Dodatek Service Pack 3 NTFS


skanowanie ukrytych procesów ...  


skanowanie ukrytych wpisów autostartu ... 


skanowanie ukrytych plików ...  



c:\docume~1\Dorota\USTAWI~1\Temp\Perflib_Perfdata_f7c.dat 16384 bytes


skanowanie pomyślnie ukończone

ukryte pliki: 1


**************************************************************************

.

--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------


[HKEY_USERS\S-1-5-21-1844237615-515967899-839522115-1004\Software\SecuROM\License information*]

"datasecu"=hex:79,28,f1,a8,2f,64,81,17,c1,c5,4c,08,fb,20,8b,eb,ee,86,41,6e,19,

   11,b2,cd,6b,c9,23,da,4e,31,b9,5d,89,31,80,e0,e0,94,cd,35,3a,6b,86,58,e0,4e,\

"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------


- - - - - - - > 'explorer.exe'(3556)

c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll

c:\program files\Common Files\Ahead\Lib\MFC71U.DLL

c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Czas ukończenia: 2009-07-08 10:45

ComboFix-quarantined-files.txt 2009-07-08 08:44


Przed: 225 521 319 936 bajtów wolnych

Po: 225 618 243 584 bajtów wolnych


WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer


220	--- E O F ---	2009-02-10 22:49

Powyzej zamieszczam LOG z ConboFixa. Moim problemem jest ciagla zmiana strony startowej na strone "szybko-szukaj.pl". Oprocz tego wystepuja tez inne problemy z przegladarkami, ale mysle, ze wynikaja z tego samego proglemu. Prosze o szybka pomoc. Z gory dziekuje i pozdrawiam - Olek.


(Henio Mazurek) #2

ComboFix niepotrzebny. Wklej log z OTL, bo to akurat jest łatwe do usunięcia

http://oldtimer.geekstogo.com/OTL.exe

Logi wklej na www.wklej.org a tutaj tylko link do wklejki.


(Nasio1) #3

Okej - to log z OTL - http://www.wklej.org/id/117962/

Z gory dzieki za pomoc. Olek.


(Henio Mazurek) #4

No tak, łatwe w usunięciu, ale upierdliwe strasznie.

Wklej w OTL tekst

Klikasz Run Fix. Po restarcie otwierasz OTL i klikasz Run Scan. Pokazujesz log.


(Nasio1) #5

Okej. Zastosowalem sie do wskazowek - po restarcie OTL sam pokazal mi log (nie wiem, czy to o to chodzi...?) - http://www.wklej.org/id/118067/

W razie, gdyby to nie byl TEN log - oto log po wcisnieciu "Run Scan" - http://www.wklej.org/id/118069/

Dzieki za pomoc. Pozdrawiam, Olek.


(Henio Mazurek) #6

Wygląda na to, że już nic nie ma.

W OTL klikasz CleanUp.

Wyłącz na chwilę przywracanie systemu.

http://support.microsoft.com/kb/310405/pll

Wykonaj pełny skan Malwarebytes Anti-Malware, jeśli coś znajdzie - usuń i wklej log.

http://dobreprogramy.pl/index.php?dz=2& ... ntiMalware

Przeczyść dysk i rejestr CCleaner'em