W trakcie uruchomienia uruchamiał się nieznany program System Care, który na wstępie skanował system i spowalniał go. Folder programu został usunięty ręcznie nie poprzez odinstaluj ale po prostu usuń. Przestało się pokazywać skanowanie. Natomiast nie wiem dlaczego w skanowaniu combofixem pojawia się że Microsoft Essential Security jest uruchomiony ponieważ usunąłem go poprzez dodaj/usuń programy. Dołączam Log z combofixa
ComboFix 13-04-20.02 - vista 2013-04-21 15:03:39.2.2 - x86
Microsoft® Windows Vista Home Premium 6.0.6002.2.1250.48.1045.18.2939.1827 [GMT 2:00]
Uruchomiony z: c:\users\vista\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Usuniêto )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\0tbpw.pad
.
.
((((((((((((((((((((((((( Pliki utworzone od 2013-03-21 do 2013-04-21 )))))))))))))))))))))))))))))))
.
.
2013-04-21 13:11 . 2013-04-21 13:13 -------- d-----w- c:\users\vista\AppData\Local\temp
2013-04-21 13:11 . 2013-04-21 13:11 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-04-21 13:11 . 2013-04-21 13:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-04-21 12:45 . 2013-04-21 12:45 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6A65100B-0B91-465D-9158-C494477B2AAF}\offreg.dll
2013-04-21 12:02 . 2013-03-06 22:33 62376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-04-21 12:02 . 2013-03-06 22:33 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-04-21 12:02 . 2013-03-06 22:33 368176 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-04-21 12:02 . 2013-03-06 22:33 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-04-21 12:02 . 2013-03-06 22:33 765736 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-04-21 12:02 . 2013-03-06 22:33 49248 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-04-21 12:02 . 2013-03-06 22:33 164736 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-04-21 12:02 . 2013-03-06 22:33 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-04-21 12:02 . 2013-03-06 22:32 228600 ----a-w- c:\windows\system32\aswBoot.exe
2013-04-21 12:02 . 2013-03-06 22:32 41664 ----a-w- c:\windows\avastSS.scr
2013-04-21 12:01 . 2013-04-21 12:01 -------- d-----w- c:\program files\AVAST Software
2013-04-21 12:01 . 2013-04-21 12:01 -------- d-----w- c:\programdata\AVAST Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-21 12:49 . 2012-04-11 12:42 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-21 12:49 . 2011-11-20 11:13 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-02 10:33 . 2011-11-18 12:27 237088 ------w- c:\windows\system32\MpSigStub.exe
2013-02-12 01:57 . 2013-03-22 10:26 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
.
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domylne, prawid³owe wpisy nie s¹ pokazane
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@= " {472083B0-C522-11CF-8763-00608CC02F24} "
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-03-06 22:32 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" Gadu-Gadu " = " c:\program files\Gadu-Gadu\gg.exe " [2008-03-20 2127296]
" ehTray.exe " = " c:\windows\ehome\ehTray.exe " [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" SynTPEnh " = " c:\program files\Synaptics\SynTP\SynTPEnh.exe " [2007-12-06 1029416]
" NDSTray.exe " = " NDSTray.exe " [BU]
" RtHDVCpl " = " RtHDVCpl.exe " [2008-04-08 6037504]
" TPwrMain " = " c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE " [2008-01-17 431456]
" SmoothView " = " c:\program files\Toshiba\SmoothView\SmoothView.exe " [2008-06-24 509816]
" 00TCrdMain " = " c:\program files\TOSHIBA\FlashCards\TCrdMain.exe " [2008-05-09 716800]
" Toshiba Registration " = " c:\program files\Toshiba\Registration\ToshibaRegistration.exe " [2008-01-11 574864]
" APSDaemon " = " c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe " [2011-09-27 59240]
" avast " = " c:\program files\AVAST Software\Avast\avastUI.exe " [2013-03-06 4767304]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
" ConsentPromptBehaviorAdmin " = 0 (0x0)
" EnableLUA " = 0 (0x0)
" EnableUIADesktopToggle " = 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@= " Service "
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2008-04-29 09:33 417792 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google EULA Launcher]
2008-05-28 11:40 20480 ----a-w- c:\program files\Google\Google EULA\GoogleEULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
" AntiVirusOverride " =dword:00000001
" FirewallOverride " =dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
" DisableMonitoring " =dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3697887721-1564011690-1190772294-1000]
" EnableNotificationsRef " =dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
bthsvcs REG_MULTI_SZ BthServ
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-21 12:03 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Zawartoæ folderu 'Zaplanowane zadania'
.
2013-04-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 12:49]
.
2013-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-04-21 12:02]
.
2013-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-04-21 12:02]
.
2013-04-20 c:\windows\Tasks\User_Feed_Synchronization-{618A8694-C6C9-441E-B612-B81B558A5571}.job
- c:\windows\system32\msfeedssync.exe [2013-04-10 08:51]
.
.
------- Skan uzupe³niaj¹cy -------
.
uStart Page = hxxp://www.wp.pl/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSEA & bmod=TSEA
TCP: DhcpNameServer = 217.172.224.160 192.168.1.254
.
- - - - USUNIÊTO PUSTE WPISY - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-MSC - c:\program files\Microsoft Security Client\msseces.exe
MSConfigStartUp-Ukotavur - c:\users\vista\AppData\Roaming\Amqec\yvkaa.exe
AddRemove-Microsoft .NET Framework 4 Client Profile - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\Setup.exe
AddRemove-Microsoft .NET Framework 4 Client Profile PLK Language Pack - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\ClientLP\Setup.exe
AddRemove-{321320E1-0E5A-36CB-9E52-F3B201B8C4D4}.KB2478663 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\ClientLP\setup.exe
AddRemove-{321320E1-0E5A-36CB-9E52-F3B201B8C4D4}.KB2518870 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\ClientLP\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2468871 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2478663 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2518870 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2533523 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2539636 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2572078 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2600217 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2604121 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2633870 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2656351 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2656368 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2656368v2 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2656405 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2686827 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2729449 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2737019 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2742595 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2789642 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-21 15:12
Windows 6.0.6002 Service Pack 2 NTFS
.
skanowanie ukrytych procesów ...
.
skanowanie ukrytych wpisów autostartu ...
.
skanowanie ukrytych plików ...
.
skanowanie pomylnie ukoñczone
ukryte pliki: 0
.
**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@= " FlashBroker "
" LocalizedString " = " @c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101 "
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
" Enabled " =dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@= " c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe "
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@= " {FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@= " IFlashBroker5 "
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@= " {00020424-0000-0000-C000-000000000046} "
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@= " {FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
" Version " = " 1.0 "
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
" BlindDial " =dword:00000000
.
Czas ukoñczenia: 2013-04-21 15:19:45
ComboFix-quarantined-files.txt 2013-04-21 13:19
ComboFix2.txt 2012-10-01 09:41
.
Przed: 82 834 337 792 bajtów wolnych
Po: 82 810 269 696 bajtów wolnych
.
- - End Of File - - 53C55960B8285842B139930BE444AC76