ComboFix 12-06-09.02 - admin 2012-06-10 17:56:50.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.1014.753 [GMT 2:00] Uruchomiony z: c:\documents and settings\admin\Pulpit\ComboFix.exe . UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !! . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Poprzednie uruchomienie ------- . c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\a9a3c2e8 c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\a9a3c2e8\@ . . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_CITRIXWMISERVICE -------\Legacy_FINGERPRINTSERVER -------\Legacy_SUSERVICE -------\Service_citrixwmiservice -------\Service_FingerprintServer -------\Service_SUService -------\Service_TVTPktFilter . . ((((((((((((((((((((((((( Pliki utworzone od 2012-05-10 do 2012-06-10 ))))))))))))))))))))))))))))))) . . 2012-06-10 15:30 . 2012-06-10 15:29 74752 ------w- C:\ipsec.sys 2012-06-10 11:51 . 2004-08-04 21:00 188672 ----a-w- c:\windows\system32\drivers\acpi.sys 2012-06-10 11:51 . 2004-08-04 21:00 188672 ----a-w- c:\windows\system32\dllcache\acpi.sys 2012-05-18 14:59 . 2012-06-10 15:56 58288 ----a-w- c:\windows\system32\rpcnet.dll 2012-05-18 14:59 . 2012-05-18 14:59 58288 ------w- c:\windows\system32\rpcnet.exe 2012-05-18 14:56 . 2012-06-10 15:56 17408 ----a-w- c:\windows\system32\rpcnetp.exe 2012-05-13 07:51 . 2012-06-10 06:03 17408 ----a-w- c:\windows\system32\rpcnetp.dll . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-10 15:29 . 2011-09-08 23:35 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys 2012-05-17 15:37 . 2012-04-08 20:36 44544 ----a-w- c:\windows\system32\agremove.exe 2012-03-15 21:17 . 2011-09-10 14:25 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((( SnapShot@2012-06-10_12.13.05 ))))))))))))))))))))))))))))))))))))))))) . - 2011-09-08 23:34 . 2012-06-10 11:49 81256 c:\windows\system32\perfc015.dat + 2011-09-08 23:34 . 2012-06-10 15:53 81256 c:\windows\system32\perfc015.dat + 2011-09-08 23:34 . 2012-06-10 15:53 63614 c:\windows\system32\perfc009.dat - 2011-09-08 23:34 . 2012-06-10 11:49 63614 c:\windows\system32\perfc009.dat + 2011-09-08 23:35 . 2012-06-10 15:29 74752 c:\windows\system32\dllcache\ipsec.sys + 2011-09-08 23:34 . 2012-06-10 15:53 463910 c:\windows\system32\perfh015.dat - 2011-09-08 23:34 . 2012-06-10 11:49 463910 c:\windows\system32\perfh015.dat + 2011-09-08 23:34 . 2012-06-10 15:53 406162 c:\windows\system32\perfh009.dat - 2011-09-08 23:34 . 2012-06-10 11:49 406162 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 774233] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2006-12-14 02:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^BTTray.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\BTTray.lnk backup=c:\windows\pss\BTTray.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG] 2006-08-30 07:40 89542 ----a-w- c:\windows\AGRSMMSG.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] 2005-05-03 10:43 69632 ----a-w- c:\windows\Alcmtr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel] 2007-08-23 07:36 53248 ----a-w- c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] 2004-08-04 21:00 15360 ----a-w- c:\windows\system32\ctfmon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray] 2006-05-18 14:24 196696 ----a-w- c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2007-03-23 07:32 162584 ----a-w- c:\windows\system32\hkcmd.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2007-03-23 07:32 138008 ----a-w- c:\windows\system32\igfxtray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp] 2007-03-14 13:42 321088 ----a-w- c:\program files\Pure Networks\Network Magic\nmapp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] 2007-03-23 07:32 138008 ----a-w- c:\windows\system32\igfxpers.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMHandler] 2007-03-16 03:26 31840 ----a-w- c:\progra~1\Lenovo\PMDRIV~1\PMHandler.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] 2007-08-10 07:21 16384000 ----a-w- c:\windows\RTHDCPL.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2005-11-10 11:03 36975 ----a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPWAUDAP] 2006-09-06 07:38 54824 ----a-w- c:\program files\Lenovo\HOTKEY\TpWAudAp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "mnmsrvc"=3 (0x3) "W32Time"=2 (0x2) "btwdins"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= . R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [2006-05-24 10240] R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-05-22 30336] S4 FNF5SVC;Fn+F5 Service;c:\program files\Lenovo\HOTKEY\FnF5svc.exe [2007-05-11 54832] . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs MSTAPE . Zawartość folderu 'Zaplanowane zadania' . 2011-09-13 c:\windows\Tasks\Przypomnienie o rejestracji 1.job - c:\windows\system32\OOBE\oobebaln.exe [2011-09-08 21:00] . 2011-09-08 c:\windows\Tasks\Przypomnienie o rejestracji 3.job - c:\windows\system32\OOBE\oobebaln.exe [2011-09-08 21:00] . 2011-09-18 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2011-09-14 20:18] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://lenovo.live.com uSearchURL,(Default) = hxxp://g.msn.com.pl/0SEPLPL/SAOS01?FORM=TOOLBR IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Wyślij do urządzenia &Bluetooth... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm TCP: DhcpNameServer = 192.168.0.1 FF - ProfilePath - c:\documents and settings\admin\Dane aplikacji\Mozilla\Firefox\Profiles\3t84jw01.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.onet.pl/ . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-06-10 18:00 Windows 5.1.2600 Dodatek Service Pack 2 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'winlogon.exe'(788) c:\program files\Lenovo\HOTKEY\tphklock.dll . Czas ukończenia: 2012-06-10 18:01:38 ComboFix-quarantined-files.txt 2012-06-10 16:01 ComboFix2.txt 2012-06-10 12:16 . Przed: 252 790 562 816 bajtów wolnych Po: 252 793 745 408 bajtów wolnych . - - End Of File - - 274EFA1E4FEFDFA958D27D67DD44A582