ComboFix 09-02-17.02 - Adrian 2009-02-18 22:30:45.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.2046.1727 [GMT 1:00] Uruchomiony z: c:\documents and settings\Adrian\Pulpit\ComboFix.exe AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) * Utworzono nowy punkt przywracania * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr1.dat c:\windows\system32\mcenspc.dll c:\windows\system32\twain32 c:\windows\system32\twain32\local.ds c:\windows\system32\twain32\user.ds c:\windows\system32\twain32\user.ds.lll c:\windows\system32\twex.exe ----- BITS: Możliwe zainfekowane strony ----- hxxp://mainssrv.info . ((((((((((((((((((((((((( Pliki utworzone od 2009-01-18 do 2009-02-18 ))))))))))))))))))))))))))))))) . 2009-02-18 12:12 . 2008-04-14 22:51 26,624 --a------ c:\windows\system32\userinit.exe 2009-02-10 12:33 . 2009-02-10 12:33 2009-02-10 12:24 . 2009-02-10 12:24 2009-02-10 12:23 . 2009-02-10 12:24 . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-18 21:27 98,304 ----a-w c:\windows\DUMP5eba.tmp 2009-02-18 12:44 --------- d-----w c:\documents and settings\Adrian\Dane aplikacji\uTorrent 2009-02-12 16:21 98,304 ----a-w c:\windows\DUMP64d4.tmp 2009-01-30 18:24 --------- d–h--w c:\program files\InstallShield Installation Information 2009-01-14 13:33 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-01-14 13:33 --------- d-----w c:\program files\AGEIA Technologies 2008-12-26 10:16 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2008-12-23 15:36 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE 2008-12-23 14:44 1,700,352 ----a-w c:\windows\system32\gdiplus.dll 2008-12-21 16:20 --------- d-----w c:\program files\mp3DirectCut 2008-12-21 12:35 --------- d-----w c:\program files\Common Files\DirectX 2008-12-20 15:13 183,112 ----a-w c:\windows\system32\PnkBstrB.exe 2008-12-20 15:13 138,184 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2008-12-10 17:34 66,872 ----a-w c:\windows\system32\PnkBstrA.exe 2008-12-03 17:36 107,888 ----a-w c:\windows\system32\CmdLineExt.dll 2008-05-17 20:45 22,328 ----a-w c:\documents and settings\Adrian\Dane aplikacji\PnkBstrK.sys 2006-05-03 10:06 163,328 --sh–r c:\windows\system32\flvDX.dll 2007-02-21 11:47 31,232 --sh–r c:\windows\system32\msfDX.dll 2007-12-17 13:43 27,648 --sh–w c:\windows\system32\Smab0.dll . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360] “SpybotSD TeaTimer”=“e:\programy\Spybot - Search & Destroy\TeaTimer.exe” [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “nod32kui”=“c:\program files\Eset\nod32kui.exe” [2007-09-15 950664] “NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2008-11-12 13672448] “NvMediaCenter”=“c:\windows\system32\NvMcTray.dll” [2008-11-12 86016] “nwiz”=“nwiz.exe” [2008-11-12 c:\windows\system32\nwiz.exe] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“c:\windows\System32\CTFMON.EXE” [2008-04-14 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “vidc.I420”= i420vfw.dll “VIDC.XFR1”= xfcodec.dll [HKLM~\startupfolder\C:^Documents and Settings^Adrian^Menu Start^Programy^Autostart^MagicDisc.lnk] path=c:\documents and settings\Adrian\Menu Start\Programy\Autostart\MagicDisc.lnk backup=c:\windows\pss\MagicDisc.lnkStartup [HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 2005-06-06 22:46 57344 e:\programy\Sony Ericsson\PS\3.0\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] --a------ 2008-04-14 22:51 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol] --------- 2005-10-31 09:51 57344 c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2007-08-16 12:24 167368 e:\programy\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2005-05-11 22:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2008-04-14 22:51 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2008-11-12 14:54 86016 c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] -ra------ 2006-11-24 00:06 487424 e:\programy\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] --------- 2000-05-11 00:00 90112 c:\windows\Updreg.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper] --a------ 2005-05-03 19:38 64512 c:\windows\system32\P17.DLL [HKEY_LOCAL_MACHINE\software\microsoft\security center] “UpdatesDisableNotify”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile] “EnableFirewall”= 0 (0x0) [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “e:\Programy\GG\gg.exe”= “c:\Program Files\uTorrent\uTorrent.exe”= “e:\Programy\DC++\DCPlusPlus.exe”= “e:\Gry\Steam\steamapps\adi.90@wp.pl\counter-strike source\hl2.exe”= “e:\Programy\NAPI-PROJEKT\napisy.exe”= “c:\Documents and Settings\Adrian\Dane aplikacji\SopCast\adv\SopAdver.exe”= “e:\Programy\SopCast\SopCast.exe”= “e:\Programy\Hamachi\hamachi.exe”= “e:\Gry\Steam\Steam.exe”= “c:\WINDOWS\system32\dpvsetup.exe”= “e:\Gry\KONAMI\Pro Evolution Soccer 2008\PES2008.exe”= “e:\Gry\Steam\steamapps\adi.90@wp.pl\counter-strike\hl.exe”= “e:\Programy\SopCast\adv\SopAdver.exe”= “e:\Programy\TVUPlayer\TVUPlayer.exe”= “c:\WINDOWS\system32\PnkBstrA.exe”= “c:\WINDOWS\system32\PnkBstrB.exe”= “e:\Gry\Quake 3 Arena\quake3.exe”= “e:\Gry\Quake III Arena\quake3.exe”= “e:\Gry\Age of Empires III\age3x.exe”= “e:\Gry\Age of Empires III\age3y.exe”= “e:\Gry\KONAMI\Pro Evolution Soccer 2009\pes2009.exe”= “e:\Gry\Sports Interactive\Football Manager 2009\fm.exe”= “e:\Gry\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe”= “e:\Gry\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe”= “%windir%\Network Diagnostic\xpnetdiag.exe”= “e:\Gry\Rockstar Games\Grand Theft Auto IV\GTAIV.exe”= “e:\Gry\NonSteam\Counter-Strike\hl.exe”= “e:\Gry\EA GAMES\Mirror’s Edge\Binaries\MirrorsEdge.exe”= “e:\Gry\Sports Interactive\Football Manager 2008\fm.exe”= “c:\Program Files\Nowe Gadu-Gadu\gg.exe”= [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] “3478:UDP”= 3478:UDP:stun “3479:UDP”= 3479:UDP:stun 2 “6112:UDP”= 6112:UDP:stun 3 “5730:UDP”= 5730:UDP:game “5739:UDP”= 5739:UDP:game 1 “9001:TCP”= 9001:TCP:game 2 “11881:TCP”= 11881:TCP:game 3 R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-09-15 15424] S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};??\c:\windows\TEMP\1992.tmp --> c:\windows\TEMP\1992.tmp [?] . Zawartość folderu ‘Zaplanowane zadania’ 2009-02-18 c:\windows\Tasks\HPpromotions journeysoftware.job - c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 16:36] . - - - - USUNIĘTO PUSTE WPISY - - - - MSConfigStartUp-WinampAgent - e:\programy\Winamp\winampa.exe . ------- Skan uzupełniający ------- . uStart Page = hxxp://wp.pl/ IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 LSP: c:\windows\system32\imon.dll DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Adrian\Dane aplikacji\Mozilla\Firefox\Profiles\bdodiyem.default\ FF - prefs.js: browser.startup.homepage - wp.pl . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-18 22:31:37 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów … skanowanie ukrytych wpisów autostartu … skanowanie ukrytych plików … skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services{DEF85C80-216A-43ab-AF70-1665EDBE2780}] “ImagePath”="??\c:\windows\TEMP\1992.tmp" . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_USERS\S-1-5-21-1606980848-1425521274-839522115-1003\Software\SecuROM!CAUTION! NEVER A OR CHANGE ANY KEY*] “??”=hex:de,5e,8b,a9,9a,b3,60,19,af,68,e3,25,33,fd,f8,9f,9b,45,35,96,a6,54,5e, 0e,a1,ce,95,31,c9,40,16,95,95,ea,cb,d8,99,67,39,df,1e,64,08,61,41,38,12,ab,\ “??”=hex:8e,33,55,eb,a4,b6,ba,34,a8,56,1a,97,32,d8,73,2d [HKEY_USERS\S-1-5-21-1606980848-1425521274-839522115-1003\Software\SecuROM\License information*] “datasecu”=hex:2c,8f,8f,ba,02,3d,52,97,de,27,b7,43,04,f1,58,e5,6b,c5,c2,bb,ee, 7a,4a,d8,aa,4b,22,be,d5,cc,bb,32,12,4a,4a,17,e7,d1,24,f5,5e,38,b0,d4,f8,e0,\ “rkeysecu”=hex:5d,25,98,4b,bf,ad,36,0c,e8,2f,f4,49,0f,59,d6,c0 . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > ‘lsass.exe’(896) c:\windows\system32\imon.dll . Czas ukończenia: 2009-02-18 22:32:22 ComboFix-quarantined-files.txt 2009-02-18 21:32:20 Przed: 7,796,236,288 bajtów wolnych Po: 7,921,152,000 bajtów wolnych WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /fastdetect /NoExecute=OptIn 199