ComboFix 09-09-10.03 - Administrator 2009-09-11 15:19.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2046.1413 [GMT 2:00] Uruchomiony z: c:\documents and settings\Administrator\Pulpit\ComboFix.exe AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF} FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Mozilla Firefox\plugins\NPMyGlSh.dll c:\windows\AegisP.inf c:\windows\Installer\af60c3d.msi . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_IPSECPOOLER -------\Service_IPSecPooler ((((((((((((((((((((((((( Pliki utworzone od 2009-08-11 do 2009-09-11 ))))))))))))))))))))))))))))))) . 2009-09-11 13:27 . 2009-09-11 13:27 -------- d-----w- c:\windows\system32\wbem\snmp 2009-09-11 13:27 . 2009-09-11 13:27 -------- d-----w- c:\windows\system32\xircom 2009-09-11 13:27 . 2009-09-11 13:27 -------- d-----w- c:\program files\microsoft frontpage 2009-09-11 12:56 . 2009-09-11 12:56 -------- d-----w- c:\program files\Trend Micro 2009-09-10 08:53 . 2009-06-21 21:48 153088 ------w- c:\windows\system32\dllcache\triedit.dll 2009-09-09 15:22 . 2009-09-09 15:40 -------- d-----w- c:\program files\NBA 2K9 2009-08-29 10:40 . 2009-08-29 10:40 -------- d-----w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\Criterion Games 2009-08-28 19:01 . 2009-08-28 19:01 -------- d-----w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\Redlynx 2009-08-23 07:37 . 2009-08-23 07:37 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Gaijin Ent 2009-08-22 01:03 . 2009-08-22 01:15 -------- d-----w- c:\windows\SxsCaPendDel 2009-08-21 16:34 . 1998-07-30 15:43 305664 ----a-w- c:\windows\IsUn0415.exe 2009-08-21 16:24 . 1998-07-30 10:51 305152 ----a-w- c:\windows\IsUninst.exe 2009-08-21 07:07 . 2009-08-21 07:07 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Atari 2009-08-20 18:51 . 2009-07-10 13:31 1315328 ------w- c:\windows\system32\dllcache\msoe.dll . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-11 13:30 . 2008-09-27 13:42 818182432 --sha-w- c:\windows\system32\drivers\fidbox.dat 2009-09-11 13:30 . 2008-09-27 13:39 4212 —ha-w- c:\windows\system32\zllictbl.dat 2009-09-11 13:27 . 2008-10-01 19:22 -------- d-----w- c:\program files\Smart Watchdog 2009-09-11 13:27 . 2008-10-01 19:22 -------- d-----w- c:\program files\Dualview Server 2009-09-11 13:26 . 2008-09-27 13:42 10959068 --sha-w- c:\windows\system32\drivers\fidbox.idx 2009-09-07 10:16 . 2009-02-22 09:24 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Nowe Gadu-Gadu 2009-09-06 23:15 . 2009-03-03 13:08 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\uTorrent 2009-09-06 18:20 . 2008-08-14 17:29 -------- d–h--w- c:\program files\InstallShield Installation Information 2009-08-31 17:46 . 2009-03-04 08:26 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\BESTplayer 2009-08-29 14:27 . 2008-08-14 19:05 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Ahead 2009-08-29 09:50 . 2009-08-03 09:17 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Electronic Arts 2009-08-28 19:01 . 2008-08-16 23:09 -------- d-----w- c:\program files\OpenAL 2009-08-22 01:16 . 2008-08-14 17:55 84384 ----a-w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-08-22 01:08 . 2001-10-26 16:15 85334 ----a-w- c:\windows\system32\perfc015.dat 2009-08-22 01:08 . 2001-10-26 16:15 494214 ----a-w- c:\windows\system32\perfh015.dat 2009-08-05 14:20 . 2009-08-05 14:20 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2009-08-05 14:20 . 2009-08-05 14:20 22328 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\PnkBstrK.sys 2009-08-05 14:20 . 2009-08-05 14:19 107832 ----a-w- c:\windows\system32\PnkBstrB.exe 2009-08-05 14:19 . 2009-08-05 14:19 66872 ----a-w- c:\windows\system32\PnkBstrA.exe 2009-08-05 14:19 . 2009-08-05 14:19 682280 ----a-w- c:\windows\system32\pbsvc.exe 2009-08-05 13:28 . 2009-08-05 13:28 -------- d-----w- c:\program files\Activision 2009-08-05 09:01 . 2008-04-14 20:50 205312 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-03 09:01 . 2009-08-03 09:01 -------- d-----w- c:\program files\Microsoft WSE 2009-08-01 22:28 . 2009-08-01 22:28 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\2DBoy 2009-07-29 19:31 . 2009-07-29 19:31 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\ConeXware 2009-07-29 16:01 . 2009-02-02 13:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-07-28 13:31 . 2009-07-28 13:31 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Bioshock 2009-07-28 12:14 . 2009-07-28 12:14 -------- d-----w- c:\program files\A4Tech 2009-07-25 17:13 . 2009-07-25 17:13 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\MailFrontier 2009-07-22 11:58 . 2008-08-14 17:26 -------- d-----w- c:\program files\Common Files\InstallShield 2009-07-20 21:40 . 2008-09-16 11:49 98304 ----a-w- c:\windows\system32\CmdLineExt.dll 2009-07-19 17:20 . 2009-07-19 17:20 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Age of Empires 3 2009-07-19 16:19 . 2008-11-07 23:20 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\skypePM 2009-07-19 16:04 . 2009-07-19 14:02 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Hamachi 2009-07-19 14:18 . 2009-05-02 19:39 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Skype 2009-07-19 14:00 . 2009-07-19 14:00 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys 2009-07-18 13:57 . 2009-04-17 21:55 -------- d-----w- c:\program files\SkanerOnline 2009-07-17 19:04 . 2008-04-14 20:50 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-13 21:43 . 2008-05-02 06:47 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-13 17:15 . 2009-05-26 08:12 -------- d-----w- c:\program files\OpenOffice.org 3 2009-06-29 15:59 . 2008-03-01 14:02 827392 ----a-w- c:\windows\system32\wininet.dll 2009-06-29 15:59 . 2008-05-02 06:47 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-06-29 15:59 . 2008-05-02 06:47 17408 ----a-w- c:\windows\system32\corpol.dll 2009-06-16 14:40 . 2008-04-14 20:50 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:40 . 2008-04-14 20:50 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-15 10:45 . 2008-04-14 20:51 78336 ----a-w- c:\windows\system32\telnet.exe 2009-06-15 10:45 . 2008-04-14 20:51 82944 ----a-w- c:\windows\system32\tlntsess.exe . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay] @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}" [HKEY_CLASSES_ROOT\CLSID{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}] 2007-03-28 17:59 2953216 ----a-w- c:\program files\Protector Suite QL\farchns.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen] @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}" [HKEY_CLASSES_ROOT\CLSID{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}] 2007-03-28 17:59 2953216 ----a-w- c:\program files\Protector Suite QL\farchns.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “WLSS”=“c:\program files\Wireless Select Switch\WLSS.exe” [2007-10-17 189736] “SMBTray”=“c:\program files\Compal\Smart Battery\SMBTray.exe” [2007-06-04 521776] “PSQLLauncher”=“c:\program files\Protector Suite QL\launcher.exe” [2007-03-28 49168] “NeroFilterCheck”=“c:\program files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-03-01 153136] “IntelZeroConfig”=“c:\program files\Intel\Wireless\bin\ZCfgSvc.exe” [2007-06-01 823296] “IntelWireless”=“c:\program files\Intel\Wireless\Bin\ifrmewrk.exe” [2007-06-01 974848] “egui”=“c:\program files\ESET\ESET NOD32 Antivirus\egui.exe” [2008-09-16 1447168] “NvMediaCenter”=“c:\windows\system32\NvMcTray.dll” [2009-04-30 86016] “NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2009-04-30 13750272] “ZoneAlarm Client”=“c:\program files\Zone Labs\ZoneAlarm\zlclient.exe” [2009-05-28 1005960] “WheelMouse”=“c:\program files\A4Tech\Mouse\Amoumain.exe” [2007-05-15 204800] “RTHDCPL”=“RTHDCPL.EXE” - c:\windows\RTHDCPL.exe [2007-05-10 16342528] “nwiz”=“nwiz.exe” - c:\windows\system32\nwiz.exe [2009-04-30 1657376] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-14 15360] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] “nltide_2”=“shell32” [X] “nltide_3”=“advpack.dll” - c:\windows\system32\advpack.dll [2009-06-29 124928] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2007-03-28 17:46 90112 ----a-w- c:\windows\system32\psqlpwd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN] 2006-04-06 13:28 434176 ----a-w- c:\windows\system32\IfxWlxEN.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli psqlpwd [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] “DisableMonitoring”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\Network Diagnostic\xpnetdiag.exe”= “%windir%\system32\sessmgr.exe”= “c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”= “c:\Program Files\Microsoft Office\Office12\GROOVE.EXE”= “c:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”= “f:\PES 2009\pes2009.exe”= “c:\JaBack8\jre\bin\javaw.exe”= “c:\uTorrent\uTorrent.exe”= “f:\ Gadu-Gadu\gg.exe”= “c:\Program Files\Skype\Phone\Skype.exe”= “c:\WINDOWS\system32\PnkBstrA.exe”= “c:\WINDOWS\system32\PnkBstrB.exe”= “f:\Burnout.Paradise.The.Ultimate.Box\BurnoutLauncher.exe”= “f:\Burnout.Paradise.The.Ultimate.Box\BurnoutConfigTool.exe”= “f:\Burnout.Paradise.The.Ultimate.Box\BurnoutParadise.exe”= [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] “8461:TCP”= 8461:TCP:GoD High Port “8462:TCP”= 8462:TCP:GoD Low Port “15094:TCP”= 15094:TCP:BitComet 15094 TCP “15094:UDP”= 15094:UDP:BitComet 15094 UDP “20086:TCP”= 20086:TCP:BitComet 20086 TCP “20086:UDP”= 20086:UDP:BitComet 20086 UDP R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2008-08-14 9856] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-08-18 34312] R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2006-04-06 31104] R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2007-12-06 660768] R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2008-07-30 277736] R2 DualView Server;DualView Server Service;c:\program files\Dualview Server\dualviewsvc.exe [2007-10-02 122880] R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-09-17 468224] R2 Smart Watchdog;Smart Watchdog Service;c:\program files\Smart Watchdog\SWDsvc.exe [2007-09-10 65536] R3 DualViewFilter;DualViewFilter;c:\windows\system32\drivers\DualviewFilter.sys [2007-09-27 20224] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-08-14 36608] S3 IPSECNDISBRIDGE;IP SEC PROTOCOL NDIS BRIDGE DRIVER;??\c:\windows\system32\ipsecndis.sys --> c:\windows\system32\ipsecndis.sys [?] . Zawartość folderu ‘Zaplanowane zadania’ . . ------- Skan uzupełniający ------- . uStart Page = hxxp://wp.pl/ IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 IE: Wyślij do urządzenia &Bluetooth… - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm FF - ProfilePath - c:\documents and settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\lasnlpo6.default\ FF - prefs.js: browser.startup.homepage - google.pl FF - plugin: c:\documents and settings\Administrator\Dane aplikacji\Nowe Gadu-Gadu_userdata\npgg.1.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCARDS.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPDARTS.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMARBLES.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSLOTS70.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPWORDS.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-11 15:29 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów … skanowanie ukrytych wpisów autostartu … skanowanie ukrytych plików … skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_USERS\S-1-5-21-343818398-606747145-1801674531-500\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_USERS\S-1-5-21-343818398-606747145-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Gry\C*o*m*m*a*n*d* *a*n*d* *C*o*n*q*u*e*r* *3* *W*o*j*n*y* *o* *t*y*b*e*r*i*u*m*"!\Pomoc] “Order”=hex:08,00,00,00,02,00,00,00,b8,02,00,00,01,00,00,00,04,00,00,00,9c,00, 00,00,00,00,00,00,8e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,7c,00,32,\ [HKEY_USERS\S-1-5-21-343818398-606747145-1801674531-500\Software\SecuROM!CAUTION! NEVER A OR CHANGE ANY KEY*] “??”=hex:95,ab,de,79,c9,ca,2f,8e,c9,2f,1c,9c,1a,ec,a9,7c,5b,12,85,dc,65,7e,0a, 5f,39,9f,75,b6,68,fd,38,db,39,bc,c0,cf,0d,7d,af,bc,de,ce,8f,b0,3e,0e,93,cd,\ “??”=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50 [HKEY_USERS\S-1-5-21-343818398-606747145-1801674531-500\Software\SecuROM\License information*] “datasecu”=hex:cd,d6,bd,80,5a,ae,10,c6,52,55,87,05,2b,6c,21,c1,88,06,38,bf,1f, 2a,09,e2,b4,2e,23,21,df,2b,c8,25,93,d4,c2,68,44,13,d2,c4,b2,df,78,e2,fc,70,\ “rkeysecu”=hex:2e,3f,3c,a4,80,1f,59,55,93,b6,67,f7,90,59,f7,22 . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > ‘winlogon.exe’(1020) c:\windows\system32\psqlpwd.dll c:\program files\Protector Suite QL\homefus2.dll c:\program files\Protector Suite QL\infra.dll c:\program files\Protector Suite QL\homepass.dll c:\program files\Protector Suite QL\bio.dll c:\program files\Protector Suite QL\remote.dll c:\windows\system32\IfxWlxEN.dll c:\program files\Protector Suite QL\crypto.dll - - - - - - - > ‘lsass.exe’(1076) c:\windows\system32\psqlpwd.dll c:\program files\Protector Suite QL\homefus2.dll c:\program files\Protector Suite QL\infra.dll - - - - - - - > ‘explorer.exe’(3192) c:\windows\system32\WININET.dll c:\program files\Protector Suite QL\farchns.dll c:\program files\Protector Suite QL\infra.dll c:\windows\system32\Amhooker.dll c:\windows\system32\wpdshserviceobj.dll c:\windows\system32\btncopy.dll c:\windows\system32\portabledevicetypes.dll c:\windows\system32\portabledeviceapi.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\nvsvc32.exe c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\windows\system32\IFXSPMGT.exe c:\windows\system32\IFXTCS.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Infineon\Security Platform Software\PSDsrvc.EXE c:\windows\system32\PnkBstrA.exe c:\windows\system32\PnkBstrB.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\windows\system32\wbem\wmiapsrv.exe c:\program files\Infineon\Security Platform Software\PSDrt.exe c:\program files\Infineon\Security Platform Software\SpTNA.exe c:\program files\Protector Suite QL\psqltray.exe c:\windows\system32\rundll32.exe . ************************************************************************** . Czas ukończenia: 2009-09-11 15:32 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2009-09-11 13:32 Przed: 2 765 479 936 bajtów wolnych Po: 4 594 556 928 bajtów wolnych WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /noexecute=optin /fastdetect Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4 262 — E O F — 2009-09-10 23:57