ComboFix 12-07-06.02 - RL0052 2012-07-06 20:49:16.2.2 - x86 Microsoft Windows 7 Enterprise 6.1.7601.1.1250.48.1045.18.3070.2191 [GMT 2:00] Uruchomiony z: c:\users\rl0052\Desktop\ComboFix.exe AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Utworzono nowy punkt przywracania . . ((((((((((((((((((((((((( Pliki utworzone od 2012-06-06 do 2012-07-06 ))))))))))))))))))))))))))))))) . . 2012-07-06 18:54 . 2012-07-06 18:54 -------- d-----w- c:\users\rlroot\AppData\Local\temp 2012-07-06 18:54 . 2012-07-06 18:54 -------- d-----w- c:\users\rl0626\AppData\Local\temp 2012-07-06 18:54 . 2012-07-06 18:54 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-07-06 18:49 . 2012-07-06 18:49 5494 ----a-w- c:\windows\system32\PerfStringBackup.TMP 2012-07-06 17:20 . 2012-07-06 17:20 -------- d-----w- c:\users\rl0052\AppData\Roaming\hellomoto 2012-07-03 10:04 . 2012-07-06 18:26 -------- d-----w- c:\users\rl0052\AppData\Local\assembly 2012-07-01 01:07 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C408C8FF-73C3-4C7D-97D6-B328399DD181}\mpengine.dll 2012-06-17 13:01 . 2012-04-28 04:41 919040 ----a-w- c:\windows\system32\rdpcorets.dll 2012-06-17 13:01 . 2012-04-28 03:17 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-06-14 08:38 . 2012-06-14 08:38 -------- d-----w- c:\users\rl0052\AppData\Local\Macromedia . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-26 10:01 . 2012-05-03 16:41 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-06-26 10:01 . 2012-01-17 16:58 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2010-03-10 23:01 . 2010-03-10 23:01 124272 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll 2010-03-10 23:40 . 2010-03-10 23:40 13168 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll 2010-03-10 23:02 . 2010-03-10 23:02 70512 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll 2010-03-10 23:01 . 2010-03-10 23:01 91504 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll 2010-03-10 23:01 . 2010-03-10 23:01 22384 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll 2010-03-10 23:00 . 2010-03-10 23:00 255344 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll 2010-03-10 23:01 . 2010-03-10 23:01 31088 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll 2010-03-10 23:01 . 2010-03-10 23:01 40304 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll 2009-10-05 12:49 . 2009-10-05 12:49 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll 2010-03-10 23:02 . 2010-03-10 23:02 23920 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll 2012-06-18 07:32 . 2012-01-17 14:47 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal] @="{C5994560-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}] 2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified] @="{C5994561-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}] 2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict] @="{C5994562-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}] 2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked] @="{C5994563-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}] 2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly] @="{C5994564-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}] 2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted] @="{C5994565-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}] 2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded] @="{C5994566-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}] 2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored] @="{C5994567-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}] 2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned] @="{C5994568-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}] 2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2010-08-06 85528] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "HideFastUserSwitching"= 1 (0x1) . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoAutoUpdate"= 1 (0x1) "ForceStartMenuLogOff"= 1 (0x1) "NoSMHelp"= 1 (0x1) "NoPublishingWizard"= 0 (0x0) "NoOnlinePrintsWizard"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2009-08-17 12:27 100104 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService] @="Service" . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk backup=c:\windows\pss\Bluetooth.lnk.CommonStartup backupExtension=.CommonStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2012-01-02 09:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint] 2009-12-02 23:19 176128 ----a-w- c:\program files\Apoint2K\Apoint.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AwaySch] 2006-11-07 17:51 91688 ----a-w- c:\program files\Lenovo\AwayTask\AwaySch.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync] 2010-03-13 12:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionCenter] 2010-03-10 23:21 300400 ----a-w- c:\program files\Citrix\ICA Client\concentr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DameWare MRC Agent] 2010-08-06 12:52 85528 ----a-w- c:\windows\System32\DWRCST.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2010-02-05 14:13 173592 ----a-w- c:\windows\System32\hkcmd.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2010-02-05 14:13 141336 ----a-w- c:\windows\System32\igfxtray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPMailChecker] 2009-07-23 01:11 124248 ------w- c:\progra~1\THINKV~2\PrdCtr\LPMLCHK.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager] 2009-07-23 01:11 185688 ------w- c:\progra~1\THINKV~2\PrdCtr\LPMGR.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI] 2009-08-25 14:00 136512 ----a-w- c:\program files\McAfee\Common Framework\UdaterUI.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2009-09-05 17:03 13797992 ----a-w- c:\windows\System32\nvcpl.dll . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] 2009-08-26 21:10 1657376 ----a-w- c:\windows\System32\nwiz.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess] 2011-07-21 22:07 718720 ----a-w- c:\program files\Microsoft Office\Office14\MSOSYNC.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] 2010-02-05 14:13 142360 ----a-w- c:\windows\System32\igfxpers.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher] 2009-08-17 11:26 55048 ----a-w- c:\program files\ThinkVantage Fingerprint Software\launcher.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWMTRV] 2011-02-04 01:45 1254760 ------w- c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RpcEpMap] 2012-07-06 17:20 49664 ----a-w- c:\users\rl0052\AppData\Local\Microsoft\Windows\1096\RpcEpMap.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE] 2010-03-25 18:07 124224 ----a-w- c:\program files\McAfee\VirusScan Enterprise\shstat.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] 2009-05-18 15:28 1314816 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2012-01-18 13:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] 2011-02-17 17:23 2200872 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY] 2010-07-27 15:05 69560 ----a-w- c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks] 2010-07-01 17:25 337256 ----a-w- c:\windows\System32\TpShocks.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy] 2008-03-04 08:34 487424 ----a-w- c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe . R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x] R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x] R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x] R3 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [x] R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x] R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [x] R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x] R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x] R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [x] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x] R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x] R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x] R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x] R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x] R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x] R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x] R3 WatAdminSvc;Usługa Technologie aktywacji systemu Windows;c:\windows\system32\Wat\WatAdminSvc.exe [x] R4 ApRunSvc;Alps Application Launcher Service;c:\program files\Apoint2K\ApRunSvc.exe [x] S0 DozeHDD;DozeHDD;c:\windows\System32\DRIVERS\DozeHDD.sys [x] S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [x] S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x] S1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\DRIVERS\dwvkbd.sys [x] S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [x] S2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [x] S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [x] S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [x] S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x] S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [x] S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x] S2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\DRIVERS\vnasc.sys [x] S2 VPN-1;VPN-1 Module;c:\windows\System32\drivers\vpn.sys [x] S3 DwMirror;DwMirror;c:\windows\system32\DRIVERS\DamewareMini.sys [x] S3 FW1;SecuRemote Miniport;c:\windows\system32\DRIVERS\fw.sys [x] S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x] . . Zawartość folderu 'Zaplanowane zadania' . 2012-07-06 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-03 10:01] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://rl-portal uInternet Settings,ProxyOverride = uInternet Settings,ProxyServer = 172.16.255.61:8080 IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000 IE: {{07BA1DA9-F501-4796-8728-74D1B91A6CD5} - c:\program files\PokerStars.EU\PokerStarsUpdate.exe Trusted Zone: helpdesk Trusted Zone: rl-online.pl\www Trusted Zone: rlplservrpt Trusted Zone: top Trusted Zone: helpdesk Trusted Zone: rl-online.pl\www Trusted Zone: rlplservrpt Trusted Zone: top TCP: DhcpNameServer = 62.179.1.63 62.179.1.62 FF - ProfilePath - c:\users\rl0052\AppData\Roaming\Mozilla\Firefox\Profiles\sskxpg5k.default\ . . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'lsass.exe'(588) c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll c:\program files\ThinkVantage Fingerprint Software\homefus2.dll c:\program files\ThinkVantage Fingerprint Software\infql2.dll . - - - - - - - > 'Explorer.exe'(4184) c:\program files\ThinkPad\Utilities\PWMTR32V.DLL c:\progra~1\ThinkPad\UTILIT~1\US\PWMRT32V.DLL c:\progra~1\ThinkPad\UTILIT~1\PWMIF32V.DLL . Czas ukończenia: 2012-07-06 20:57:23 ComboFix-quarantined-files.txt 2012-07-06 18:57 ComboFix2.txt 2012-07-06 18:35 . Przed: 26 443 345 920 bajtów wolnych Po: 26 260 955 136 bajtów wolnych . - - End Of File - - 557D6CE0F42FA62632B4FF99276329C3