ComboFix 09-04-14.06 - masterxp 2009-04-14 11:22.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.1535.904 [GMT 2:00] Uruchomiony z: c:\documents and settings\masterxp\Pulpit\ComboFix.exe AV: System Antywirusowy NOD32 2.50 *On-access scanning enabled* (Outdated) * Utworzono nowy punkt przywracania * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Menu Start\Programy\Internet Explorer.lnk c:\documents and settings\masterxp\Dane aplikacji\BITS c:\documents and settings\masterxp\Dane aplikacji\BITS\BITS.ini c:\documents and settings\masterxp\Dane aplikacji\BITS\DHTTable.dat c:\documents and settings\masterxp\Dane aplikacji\BITS\ProxyList.ini c:\documents and settings\masterxp\Dane aplikacji\BITS\Torrent\20081118190605.torrent c:\documents and settings\masterxp\Dane aplikacji\BITS\Torrent\20081118190605.torrent.~tmp c:\documents and settings\masterxp\Dane aplikacji\BITS\Torrent\20081118190605.torrent.bits c:\documents and settings\masterxp\Dane aplikacji\BITS\Torrent\20081118190605.torrent.filelist c:\documents and settings\masterxp\Dane aplikacji\BITS\Torrent\20081118190605.torrent.hybridlist c:\documents and settings\masterxp\Dane aplikacji\BITS\Torrent\20081118190605.torrent.seeds c:\documents and settings\masterxp\Dane aplikacji\BITS\UPnP.ini c:\documents and settings\masterxp\Dane aplikacji\inst.exe c:\documents and settings\masterxp\masterxp.exe c:\windows\system32\advpacks.exe c:\windows\system32\digiwet.dll . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_EVENTSYSTEMDMADMIN -------\Service_EventSystemdmadmin ((((((((((((((((((((((((( Pliki utworzone od 2009-03-14 do 2009-04-14 ))))))))))))))))))))))))))))))) . 2009-04-13 17:51 . 2009-04-13 18:14 32 --s-a-w c:\windows\system32\4036871371.dat 2009-03-25 10:44 . 2009-03-25 10:44 -------- d-----w c:\documents and settings\masterxp\Ustawienia lokalne\Dane aplikacji\Installer1096 2009-03-25 10:24 . 2009-03-25 10:24 -------- d-----w c:\documents and settings\masterxp\Ustawienia lokalne\Dane aplikacji\Installer3692 2009-03-23 18:14 . 2009-03-23 18:14 -------- d–h--w c:\documents and settings\Gość\Ustawienia lokalne 2009-03-23 18:14 . 2009-03-23 18:14 -------- d–h--w c:\documents and settings\Gość\Ustawienia lokalne 2009-03-23 18:14 . 2009-03-23 18:14 -------- d-----w c:\documents and settings\Gość\Dane aplikacji 2009-03-23 18:14 . 2009-03-23 18:14 -------- d-----w c:\documents and settings\Gość\Dane aplikacji 2009-03-23 18:14 . 2009-03-23 18:14 -------- d-----w c:\documents and settings\Gość 2009-03-19 15:36 . 2008-04-14 17:20 21504 -c–a-w c:\windows\system32\dllcache\hidserv.dll 2009-03-19 15:36 . 2008-04-14 17:20 21504 ----a-w c:\windows\system32\hidserv.dll 2009-03-19 15:36 . 2008-04-14 16:20 14720 -c–a-w c:\windows\system32\dllcache\kbdhid.sys 2009-03-19 15:36 . 2008-04-14 16:20 14720 ----a-w c:\windows\system32\drivers\kbdhid.sys . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-14 08:21 . 2009-03-09 16:12 -------- d-----w c:\documents and settings\masterxp\Dane aplikacji\mIRC 2009-04-11 07:38 . 2008-10-26 18:29 65536 ----a-w C:\asusdisp.log 2009-04-09 09:25 . 2008-12-02 15:00 -------- d-----w c:\documents and settings\masterxp\Dane aplikacji\RCP 5 2009-04-07 19:48 . 2008-12-19 21:12 31138 ----a-w C:\hpfr5100.log 2009-04-07 14:48 . 2008-08-26 13:47 -------- d-----w c:\program files\Gadu-Gadu 2009-03-29 11:44 . 2006-03-02 12:00 86968 ----a-w c:\windows\system32\perfc015.dat 2009-03-29 11:44 . 2006-03-02 12:00 494308 ----a-w c:\windows\system32\perfh015.dat 2009-03-25 12:40 . 2008-09-05 18:57 -------- d-----w c:\documents and settings\masterxp\Dane aplikacji\teamspeak2 2009-03-05 15:38 . 2009-03-05 15:38 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\nView_Profiles 2009-02-26 09:10 . 2008-10-23 08:01 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-02-23 11:20 . 2009-02-23 11:20 -------- d-----w c:\documents and settings\masterxp\Dane aplikacji\Mumble 2009-02-22 11:15 . 2009-02-22 11:15 116232 —h–w C:\treeinfo.wc 2009-02-21 12:25 . 2008-08-26 13:15 53232 ----a-w c:\documents and settings\masterxp\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-02-18 12:27 . 2009-01-14 17:32 -------- d—a-w c:\documents and settings\All Users\Dane aplikacji\TEMP 2009-02-16 15:51 . 2008-11-03 22:07 -------- d-----w c:\documents and settings\masterxp\Dane aplikacji\Skype 2009-02-16 15:31 . 2008-11-03 22:11 -------- d-----w c:\documents and settings\masterxp\Dane aplikacji\skypePM 2009-02-10 18:01 . 2008-10-14 16:00 146 ----a-w C:\DevList.txt 2009-02-09 14:07 . 2006-03-02 12:00 1847040 ----a-w c:\windows\system32\win32k.sys 2009-01-17 15:54 . 2009-01-17 15:54 249856 ------w c:\windows\Setup1.exe 2009-01-17 15:54 . 2009-01-17 15:54 73216 ----a-w c:\windows\ST6UNST.EXE 2008-12-09 21:28 . 2008-12-09 21:28 52520 ----a-w c:\documents and settings\masterxp\Dane aplikacji\GDIPFONTCACHEV1.DAT 2008-10-23 07:16 . 2008-10-18 16:53 47360 ----a-w c:\documents and settings\masterxp\Dane aplikacji\pcouffin.sys 2008-10-22 16:26 . 2008-10-22 16:26 121552 ----a-w c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat 2008-10-20 20:29 . 2008-10-20 20:29 133 ----a-w c:\documents and settings\masterxp\Ustawienia lokalne\Dane aplikacji\fusioncache.dat . ------- Sigcheck ------- [7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows$hf_mig$\KB951748\SP2QFE\tcpip.sys [7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows$hf_mig$\KB951748\SP3GDR\tcpip.sys [7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows$hf_mig$\KB951748\SP3QFE\tcpip.sys [7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows$NtServicePackUninstall$\tcpip.sys [7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows$NtUninstallKB951748$\tcpip.sys [-] 2006-03-02 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows$NtUninstallKB951748_0$\tcpip.sys [-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\ServicePackFiles\i386\tcpip.sys [-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\dllcache\tcpip.sys [-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\drivers\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“c:\program files\Gadu-Gadu\gg.exe” [2007-11-14 2131392] “NBJ”=“c:\program files\Ahead\Nero BackItUp\NBJ.exe” [2005-09-16 1961984] “scheduler_monitor”=“d:\programy\Konwersja grafiki\Rea Converter\init_scheduler.exe” [2007-06-15 27136] “ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SiSUSBRG”=“c:\windows\SiSUSBrg.exe” [2002-07-12 106496] “NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2006-06-01 7618560] “NeroFilterCheck”=“c:\windows\system32\NeroCheck.exe” [2001-07-09 155648] “RemoteControl”=“c:\program files\CyberLink\PowerDVD\PDVDServ.exe” [2004-11-02 32768] “Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 39792] “SunJavaUpdateSched”=“c:\program files\Java\jre1.6.0_07\bin\jusched.exe” [2008-06-10 144784] “nod32kui”=“c:\program files\Eset\nod32kui.exe” [2008-10-12 917504] “HP Software Update”=“c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe” [2002-12-17 49152] “HPDJ Taskbar Utility”=“c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe” [2003-03-26 172032] “DeviceDiscovery”=“c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe” [2002-12-02 40960] “nwiz”=“nwiz.exe” - c:\windows\system32\nwiz.exe [2006-06-01 1519616] “SoundMan”=“SOUNDMAN.EXE” - c:\windows\soundman.exe [2004-01-08 65536] “NvMediaCenter”=“NvMCTray.dll” - c:\windows\system32\nvmctray.dll [2006-06-01 86016] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-14 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “VIDC.ACDV”= ACDV.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] “AntiVirusOverride”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “c:\Program Files\Gadu-Gadu\gg.exe”= “e:\Gry\cs\hl.exe”= “c:\WINDOWS\system32\dpvsetup.exe”= “c:\Program Files\Bonjour\mDNSResponder.exe”= “c:\Program Files\Mozilla Firefox\firefox.exe”= “c:\Documents and Settings\masterxp\temp\TeamViewer\Version4\TeamViewer.exe”= “%windir%\Network Diagnostic\xpnetdiag.exe”= “c:\totalcmd\TOTALCMD.EXE”= “e:\Gry\Steam\SteamApps\vallar92\counter-strike\hl.exe”= “e:\Gry\Steam\SteamApps\vallar92\day of defeat\hl.exe”= “e:\Gry\Steam\SteamApps\vallar92\counter-strike beta\hl.exe”= “e:\Gry\Steam\SteamApps\vallar92\team fortress classic\hl.exe”= “c:\Program Files\Skype\Phone\Skype.exe”= “e:\Gry\mIRC\mirc.exe”= “c:\WINDOWS\system32\userinit.exe”= “c:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”= [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] “27005:TCP”= 27005:TCP:*:Disabled:cs “27059:TCP”= 27059:TCP:*:Disabled:cs moj serw R2 acpi32;acpi32; [x] R2 amd64si;amd64si; [x] R2 ati64si;ati64si; [x] R2 fips32cup;fips32cup; [x] R2 i386si;i386si; [x] R2 ksi32sk;ksi32sk; [x] R2 netsik;netsik; [x] R2 nicsk32;nicsk32; [x] R2 OMSCAN;OMSCAN; [x] R2 port135sik;port135sik; [x] R2 ws2_32sik;ws2_32sik; [x] R3 autorun;autorun; [x] R3 ddsxeiservice;ddsxeiservice2; [x] R3 FXDRV;FXDRV; [x] R3 rcp_service;ReaConverter scheduler service;d:\programy\Konwersja grafiki\Rea Converter\rcp_scheduler.exe [2007-11-30 558592] S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544] S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;c:\windows\system32\DRIVERS\Amps2prt.sys [2006-05-09 13824] S3 BT848;Studio WDM Video Capture;c:\windows\system32\drivers\BT848.sys [2000-09-13 207319] S3 BTTUNER;Studio WDM TvTuner;c:\windows\system32\drivers\BTTUNER.sys [2000-09-13 8571] S3 BTXBAR;Studio WDM Crossbar;c:\windows\system32\drivers\BTXBAR.sys [2000-09-13 7785] S3 MouseCap;MouseCapture Driver;c:\windows\system32\Drivers\MouseCap.sys [2005-08-08 6640] . - - - - USUNIĘTO PUSTE WPISY - - - - HKCU-Run-masterxp - c:\documents and settings\masterxp\masterxp.exe HKLM-Run-GameFace Messenger - c:\program files\GameFace Messenger\GameFace.exe HKLM-Run-WheelMouse - c:\program files\A4Tech\Mouse\Amoumain.exe . ------- Skan uzupełniający ------- . uInternet Settings,ProxyOverride = *.local IE: &Download All by FlashGet - e:\programy\FlashGet universal\ComDlls\Bhoall.htm IE: &Download by FlashGet - e:\programy\FlashGet universal\ComDlls\Bholink.htm IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 LSP: c:\windows\system32\imon.dll DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab FF - ProfilePath - c:\documents and settings\masterxp\Dane aplikacji\Mozilla\Firefox\Profiles\7gmxrdgw.default\ FF - prefs.js: browser.search.selectedEngine - GooglePL FF - prefs.js: browser.startup.homepage - hxxp://www.onet.pl/ FF - component: c:\program files\Mozilla Firefox\extensions{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll ---- FIREFOX - SPOSÓB POSTĘPOWANIA ---- FF - user.js: browser.search.selectedEngine - GooglePL. ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-14 11:25 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów … skanowanie ukrytych wpisów autostartu … skanowanie ukrytych plików … skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\autorun] “ImagePath”="??\c:\huadio.tmp" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OMSCAN] “ImagePath”="\Sys" . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_USERS\S-1-5-21-299502267-2139871995-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved{15500107-2388-FF59-B592-7412558DDEF9}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) “eafiobdlph”=hex:66,61,70,70,70,64,63,6c,61,6e,6e,6d,00,31 “daiifafe”=hex:64,62,6a,6b,62,69,69,65,6a,66,6e,61,68,69,6f,6e,62,6e,61,6b,6a, 61,6b,6a,67,6c,63,62,67,70,6c,6e,61,6e,62,6b,66,6a,69,6c,00,00 “iankpfhkjabjnghbmi”=hex:6a,61,62,65,6f,64,6c,61,6d,6a,6a,69,6f,70,6d,6a,6c,65, 65,63,00,00 “hahkfiooffcaapii”=hex:69,61,6b,6c,6c,66,66,6e,61,65,67,64,6a,6c,70,67,66,6a, 00,00 . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > ‘lsass.exe’(844) c:\windows\system32\imon.dll c:\program files\Eset\pr_imon.dll - - - - - - - > ‘explorer.exe’(2752) c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll c:\program files\Microsoft Office\Office10\msohev.dll c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\rundll32.exe c:\windows\ATKKBService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\Eset\nod32krn.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\wdfmgr.exe . ************************************************************************** . Czas ukończenia: ~,10time:~,-3machine was rebootedCombobatch-by ComboFix-quarantined-files.txt 2009-04-14 09:27 Przed: 17,534,103,552 bajtów wolnych Po: 19,691,962,368 bajtów wolnych WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /noexecute=optin /fastdetect 238 — E O F — 2009-03-17 12:17