ComboFix 12-06-09.02 - admin 2012-06-10 14:04:18.1.2 - x86 Uruchomiony z: c:\documents and settings\admin\Pulpit\ComboFix.exe . UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !! . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\a9a3c2e8\U c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\a9a3c2e8\U\00000001.@ c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\a9a3c2e8\U\000000c0.@ c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\a9a3c2e8\U\000000cb.@ c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\a9a3c2e8\U\000000cf.@ c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\a9a3c2e8\U\80000000.@ c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\a9a3c2e8\U\800000c0.@ c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\a9a3c2e8\U\800000cb.@ c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\a9a3c2e8\U\800000cf.@ c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\a9a3c2e8\X c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\fliaguhd.exe c:\windows\$NtUninstallKB38068$\2846081768\@ c:\windows\$NtUninstallKB38068$\2846081768\L\bcmxhwmw c:\windows\$NtUninstallKB38068$\2846081768\loader.tlb c:\windows\$NtUninstallKB38068$\2846081768\U\@00000001 c:\windows\$NtUninstallKB38068$\2846081768\U\@000000c0 c:\windows\$NtUninstallKB38068$\2846081768\U\@000000cb c:\windows\$NtUninstallKB38068$\2846081768\U\@000000cf c:\windows\$NtUninstallKB38068$\2846081768\U\@80000000 c:\windows\$NtUninstallKB38068$\2846081768\U\@800000c0 c:\windows\$NtUninstallKB38068$\2846081768\U\@800000cb c:\windows\$NtUninstallKB38068$\2846081768\U\@800000cf c:\windows\$NtUninstallKB38068$\811675482 c:\windows\system32\crt.dat c:\windows\system32\dds_log_ad13.cmd c:\windows\system32\EKECioCtl.dll c:\windows\system32\mdhcp32.dll c:\windows\system32\shimg.dll c:\windows\system32\Thumbs.db c:\windows\system32\U81xmdm.dll c:\windows\$NtUninstallKB38068$ . . . . nie udało się usunąć . . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_MSTAPE -------\Service_MSTAPE . . ((((((((((((((((((((((((( Pliki utworzone od 2012-05-10 do 2012-06-10 ))))))))))))))))))))))))))))))) . . 2012-06-10 11:51 . 2004-08-04 21:00 188672 ----a-w- c:\windows\system32\drivers\acpi.sys 2012-06-10 11:51 . 2004-08-04 21:00 188672 ----a-w- c:\windows\system32\dllcache\acpi.sys 2012-05-18 14:59 . 2012-06-10 12:04 58288 ----a-w- c:\windows\system32\rpcnet.dll 2012-05-18 14:59 . 2012-05-18 14:59 58288 ------w- c:\windows\system32\rpcnet.exe 2012-05-18 14:56 . 2012-06-10 12:04 17408 ----a-w- c:\windows\system32\rpcnetp.exe 2012-05-13 07:51 . 2012-06-10 06:03 17408 ----a-w- c:\windows\system32\rpcnetp.dll . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-05-17 15:37 . 2012-04-08 20:36 44544 ----a-w- c:\windows\system32\agremove.exe 2012-03-15 21:17 . 2011-09-10 14:25 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\51fc2b55c6deef38fc801319336cdbc7\ipsec.sys [-] 2004-08-04 21:00 . A6AC67A677EC26C21E42E88604DF3160 . 74752 . . [------] . . c:\windows\system32\drivers\ipsec.sys . [-] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\51fc2b55c6deef38fc801319336cdbc7\ipsec.sys [-] 2004-08-04 21:00 . A6AC67A677EC26C21E42E88604DF3160 . 74752 . . [------] . . c:\windows\system32\drivers\ipsec.sys . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 774233] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2006-12-14 02:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^BTTray.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\BTTray.lnk backup=c:\windows\pss\BTTray.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG] 2006-08-30 07:40 89542 ----a-w- c:\windows\AGRSMMSG.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] 2005-05-03 10:43 69632 ----a-w- c:\windows\Alcmtr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel] 2007-08-23 07:36 53248 ----a-w- c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] 2004-08-04 21:00 15360 ----a-w- c:\windows\system32\ctfmon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray] 2006-05-18 14:24 196696 ----a-w- c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2007-03-23 07:32 162584 ----a-w- c:\windows\system32\hkcmd.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2007-03-23 07:32 138008 ----a-w- c:\windows\system32\igfxtray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp] 2007-03-14 13:42 321088 ----a-w- c:\program files\Pure Networks\Network Magic\nmapp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] 2007-03-23 07:32 138008 ----a-w- c:\windows\system32\igfxpers.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMHandler] 2007-03-16 03:26 31840 ----a-w- c:\progra~1\Lenovo\PMDRIV~1\PMHandler.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] 2007-08-10 07:21 16384000 ----a-w- c:\windows\RTHDCPL.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2005-11-10 11:03 36975 ----a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPWAUDAP] 2006-09-06 07:38 54824 ----a-w- c:\program files\Lenovo\HOTKEY\TpWAudAp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "mnmsrvc"=3 (0x3) "W32Time"=2 (0x2) "btwdins"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= . R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [2006-05-24 10240] R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-05-22 30336] S4 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe --> c:\windows\system32\FpLogonServ.exe [?] S4 FNF5SVC;Fn+F5 Service;c:\program files\Lenovo\HOTKEY\FnF5svc.exe [2007-05-11 54832] . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs MSTAPE citrixwmiservice . Zawartość folderu 'Zaplanowane zadania' . 2011-09-13 c:\windows\Tasks\Przypomnienie o rejestracji 1.job - c:\windows\system32\OOBE\oobebaln.exe [2011-09-08 21:00] . 2011-09-08 c:\windows\Tasks\Przypomnienie o rejestracji 3.job - c:\windows\system32\OOBE\oobebaln.exe [2011-09-08 21:00] . 2011-09-18 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2011-09-14 20:18] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://lenovo.live.com uSearchURL,(Default) = hxxp://g.msn.com.pl/0SEPLPL/SAOS01?FORM=TOOLBR IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Wyślij do urządzenia &Bluetooth... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm TCP: DhcpNameServer = 192.168.0.1 FF - ProfilePath - c:\documents and settings\admin\Dane aplikacji\Mozilla\Firefox\Profiles\3t84jw01.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.onet.pl/ . - - - - USUNIĘTO PUSTE WPISY - - - - . MSConfigStartUp-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe MSConfigStartUp-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-06-10 14:15 Windows 5.1.2600 Dodatek Service Pack 2 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'winlogon.exe'(652) c:\program files\Lenovo\HOTKEY\tphklock.dll . - - - - - - - > 'explorer.exe'(3820) c:\windows\system32\WININET.dll c:\windows\system32\ODBC32.dll c:\windows\system32\Audiodev.dll c:\windows\system32\WMVCore.DLL c:\windows\system32\WMASF.DLL . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Lenovo\PM Driver\PMSveH.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\windows\system32\rpcnet.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Czas ukończenia: 2012-06-10 14:16:16 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2012-06-10 12:16 . Przed: 252 256 043 008 bajtów wolnych Po: 252 805 689 344 bajtów wolnych . - - End Of File - - 4DFF40905B2F60F367F875B0A35665B7