laptop się kończy - wirusy go jedzą

[Bart_72]

Zdaje się, że inwazja wirusów dopadła mojego laptopa. Proszę o pomoc. Zapisy lsass w ComboFixie lekko mnie przeraziły...

Laptop jest służbowy i boss mnie zabije, jak padnie

Combofix:

Kod: Zaznacz wszystko

ComboFix 08-07-14.2 - Max 2008-07-15 11:34:35.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1045.18.505 [GMT 2:00]
Running from: C:\ComboFix.exe
* Resident AV is active


[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\lsass.exe
C:\WINDOWS\system32\slfxdat.dll

.
(((((((((((((((((((((((((   Files Created from 2008-06-15 to 2008-07-15  )))))))))))))))))))))))))))))))
.

2008-07-15 11:27 . 2008-07-15 11:34   120   --a------   C:\Documents and Settings\Max\settmo.dat
2008-07-15 11:25 . 2008-07-15 11:25   320   --a------   C:\Documents and Settings\Max\ntoken.dat
2008-07-15 11:17 . 2008-07-15 11:17   <DIR>   d--------   C:\Program Files\Trend Micro
2008-07-15 11:15 . 2008-07-15 11:15   2,613,152   --a------   C:\ComboFix.exe
2008-07-09 13:38 . 2008-07-09 13:38   2,094   --a------   C:\WKLADKA FALISTA 4.ACM
2008-07-03 11:10 . 2008-07-03 11:10   <DIR>   d--------   C:\Program Files\GetRight
2008-07-03 11:10 . 2008-07-03 11:17   <DIR>   d--------   C:\Documents and Settings\Max\Dane aplikacji\GetRight
2008-07-03 11:09 . 2008-07-03 11:14   <DIR>   d--------   C:\Downloads
2008-07-03 11:09 . 2008-07-03 11:11   <DIR>   d--------   C:\Documents and Settings\Max\Dane aplikacji\GetRightToGo
2008-06-24 19:59 . 2008-06-24 19:59   <DIR>   d--------   C:\Program Files\Mio Technology
2008-06-24 19:58 . 2008-06-24 19:59   <DIR>   d--------   C:\Program Files\Microsoft ActiveSync
2008-06-23 16:40 . 2008-06-23 16:41   14,263,208   --a------   C:\ndntplst.exe
2008-06-20 19:48 . 2008-06-20 19:48   246,784   ---------   C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 19:48 . 2008-06-20 19:48   147,968   ---------   C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 13:51 . 2008-06-20 13:51   361,600   ---------   C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 13:40 . 2008-06-20 13:40   138,496   ---------   C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 13:08 . 2008-06-20 13:08   225,856   ---------   C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-19 10:36 . 2008-06-19 10:36   <DIR>   d--------   C:\Temp\Partition
2008-06-19 10:36 . 2008-06-19 10:36   <DIR>   d--------   C:\Program Files\PowerQuest
2008-06-19 10:35 . 2008-06-19 10:33   23,776,770   --a------   C:\Temp\ENPM800RETAILDEMO[1].ZIP

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 08:18   ---------   d-----w   C:\Program Files\Opera
2008-06-25 09:02   ---------   d-----w   C:\Documents and Settings\Max\Dane aplikacji\foobar2000
2008-06-24 18:00   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-06-20 17:48   246,784   ----a-w   C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51   361,600   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40   138,496   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08   225,856   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 12:03   ---------   d-----w   C:\Program Files\Lenovo
2008-06-14 17:36   273,024   ------w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-14 17:36   273,024   ------w   C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 08:50   25,280   ----a-w   C:\Documents and Settings\Max\Dane aplikacji\GDIPFONTCACHEV1.DAT
2008-05-09 10:56   90,112   ----a-w   C:\WINDOWS\system32\wshext.dll
2008-05-09 10:56   90,112   ------w   C:\WINDOWS\system32\dllcache\wshext.dll
2008-05-09 10:56   512,000   ------w   C:\WINDOWS\system32\dllcache\jscript.dll
2008-05-09 10:56   430,080   ----a-w   C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:56   430,080   ------w   C:\WINDOWS\system32\dllcache\vbscript.dll
2008-05-09 10:56   180,224   ----a-w   C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:56   180,224   ------w   C:\WINDOWS\system32\dllcache\scrobj.dll
2008-05-09 10:56   172,032   ----a-w   C:\WINDOWS\system32\scrrun.dll
2008-05-09 10:56   172,032   ------w   C:\WINDOWS\system32\dllcache\scrrun.dll
2008-05-08 14:02   203,136   ------w   C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-08 11:24   155,648   ----a-w   C:\WINDOWS\system32\wscript.exe
2008-05-08 11:24   155,648   ------w   C:\WINDOWS\system32\dllcache\wscript.exe
2008-05-07 09:07   135,168   ----a-w   C:\WINDOWS\system32\cscript.exe
2008-05-07 09:07   135,168   ------w   C:\WINDOWS\system32\dllcache\cscript.exe
2008-05-07 05:12   1,291,776   ----a-w   C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12   1,291,776   ------w   C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 23:20   3,591,680   ----a-w   C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:43   70,656   ----a-w   C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:43   625,664   ----a-w   C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39   13,824   ----a-w   C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07   161,792   ----a-w   C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-16 15:20   0   ----a-w   C:\Program Files\path6.ini
2007-12-18 14:49   32,768   --sha-w   C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Feeds Cache\index.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
BTTray.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-02-27 18:43:30 561213]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-12-18 16:44:58 50688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]
Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk - C:\Program Files\SAGEM WiFi manager\WLANUTL.exe [2008-05-06 15:07:41 860160]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-14 23:17 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 17:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 04:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 15:52 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\TC PowerPack\\TOTALCMD.EXE"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Esko\\bg_prog_egsis_v010\\bin_ix86\\egsissrv.exe"=
"C:\\Esko\\bg_prog_egsis_v010\\bin_ix86\\EGSystemInfoTool.exe"=
"C:\\Program Files\\OrangeBS\\BEWInternet-PL\\Connectivity\\ConnectivityManager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13364:UDP"= 13364:UDP:Print Server Utility
"13107:UDP"= 13107:UDP:Print Server Utility
"69:UDP"= 69:UDP:Print Server Utility
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-03-02 18:49]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-03-02 18:47]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 10:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 12:24]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-06-17 18:16]
R2 ArtiosLM;Artios License Manager;C:\WINDOWS\system32\artioslm.exe [2000-07-10 17:25]
R2 EG Station Information Service;EG Station Information Service;C:\Esko\bg_prog_egsis_v010\bin_ix86\egsissrv.exe [2006-03-29 12:25]
R2 MSSQL$ARTIOSCADDB;MSSQL$ARTIOSCADDB;C:\Program Files\Microsoft SQL Server\MSSQL$ARTIOSCADDB\Binn\sqlservr.exe [2002-12-17 18:26]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-03-14 23:10]
R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 14:11]
R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2006-09-13 13:42]
S3 SG760_XP;SAGEM 802.11g XG760 1211 Driver;C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys [2006-01-09 11:26]
S3 SQLAgent$ARTIOSCADDB;SQLAgent$ARTIOSCADDB;C:\Program Files\Microsoft SQL Server\MSSQL$ARTIOSCADDB\Binn\sqlagent.EXE [2002-12-17 18:23]
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 20:45]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 20:45]
S3 ZDCndis5;ZDCndis5 Protocol Driver;C:\WINDOWS\system32\ZDCndis5.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{042fd632-bdc8-11dc-a635-001a6bcd67e3}]
\Shell\Auto\command - E:\UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{045365e3-36fa-11dd-a6db-001a6bcd67e3}]
\Shell\AutoRun\command - E:\wdsync.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a9fa134-1041-11dd-a6c2-001c26fe5f9b}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f16aac8-f83e-11dc-a6a2-001c26fe5f9b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-17 12:58:25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-15 09:25:32 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
"2007-12-18 15:19:47 C:\WINDOWS\Tasks\Przypomnienie o rejestracji 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-12-18 15:19:47 C:\WINDOWS\Tasks\Przypomnienie o rejestracji 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2008-07-15 09:19:05 C:\WINDOWS\Tasks\Sprawdź aktualizacje paska narzędzi Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 11:35:42
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\DOCUME~1\Max\USTAWI~1\Temp\catchme.dll
.
Completion time: 2008-07-15 11:36:57
ComboFix-quarantined-files.txt  2008-07-15 09:36:51

Pre-Run: 116,953,878,528 bajtów wolnych
Post-Run: 116,939,681,792 bajtów wolnych

178   --- E O F ---   2008-07-09 08:30:52


HJT:

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:47, on 2008-07-15
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\artioslm.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Esko\bg_prog_egsis_v010\bin_ix86\egsissrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ARTIOSCADDB\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\PROGRA~1\Lenovo\LENOVO~1\LPMGR.exe
C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\X-Guard\X-Guard.exe
C:\Program Files\ADRGrabber\ADRGrabber.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.pl/0SEPLPL/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~1\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BEWINTERNET-PLSessionManager] C:\Program Files\OrangeBS\BEWInternet-PL\SessionManager\SessionManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [X-Guard] C:\Program Files\X-Guard\X-Guard.exe
O4 - HKLM\..\Run: [Winengine] C:\WINDOWS\lsass.exe
O4 - HKLM\..\Run: [XGADRGrabber] C:\Program Files\ADRGrabber\ADRGrabber.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Wyślij do urządzenia &Bluetooth... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198147983734
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Artios License Manager (ArtiosLM) - Unknown owner - C:\WINDOWS\system32\artioslm.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EG Station Information Service - Esko-Graphics - C:\Esko\bg_prog_egsis_v010\bin_ix86\egsissrv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom SA - C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--
End of file - 13703 bytes


[Okocza]

otwórz notatnik i wklej:

Kod: Zaznacz wszystko

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{042fd632-bdc8-11dc-a635-001a6bcd67e3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{045365e3-36fa-11dd-a6db-001a6bcd67e3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a9fa134-1041-11dd-a6c2-001c26fe5f9b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f16aac8-f83e-11dc-a6a2-001c26fe5f9b}]

w notatniku u góry>>>plik zapisz jako>>>Zmien rozszerzenie z TXT na Wszystkie pliki *.* >>> Zapisz pod nazwą FIX.REG

Klikasz dwa razy na powstały plik fix i dodajesz go do rejestru....

wracasz z nowym logiem z combofixsa

[Dzi@dek]

Kod: Zaznacz wszystko

O4 - HKLM\..\Run: [Winengine] C:\WINDOWS\lsass.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

Zaznacz te wpisy w HJ i fix checked
Daj nowego loga z HJ + DSS

[Bart_72]

Zdaje się, że jest grubszy problem. Podczas działania programów naprawczych cały czas pojawiał sie komunikat, że edytor rejestru został wyłączony. Fix.reg udało mi się dopiero dodać w trybie awaryjnym. Scany pokazałt to:

Combofix

Kod: Zaznacz wszystko

ComboFix 08-07-14.2 - Max 2008-07-15 12:51:00.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.48.1045.18.522 [GMT 2:00]
Running from: C:\ComboFix.exe
* Resident AV is active


[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((   Files Created from 2008-06-15 to 2008-07-15  )))))))))))))))))))))))))))))))
.

2008-07-15 11:27 . 2008-07-15 12:51   120   --a------   C:\Documents and Settings\Max\settmo.dat
2008-07-15 11:25 . 2008-07-15 12:49   320   --a------   C:\Documents and Settings\Max\ntoken.dat
2008-07-15 11:17 . 2008-07-15 11:17   <DIR>   d--------   C:\Program Files\Trend Micro
2008-07-15 11:15 . 2008-07-15 11:15   2,613,152   --a------   C:\ComboFix.exe
2008-07-09 13:38 . 2008-07-09 13:38   2,094   --a------   C:\WKLADKA FALISTA 4.ACM
2008-07-03 11:10 . 2008-07-03 11:10   <DIR>   d--------   C:\Program Files\GetRight
2008-07-03 11:10 . 2008-07-03 11:17   <DIR>   d--------   C:\Documents and Settings\Max\Dane aplikacji\GetRight
2008-07-03 11:09 . 2008-07-03 11:14   <DIR>   d--------   C:\Downloads
2008-07-03 11:09 . 2008-07-03 11:11   <DIR>   d--------   C:\Documents and Settings\Max\Dane aplikacji\GetRightToGo
2008-06-24 19:59 . 2008-06-24 19:59   <DIR>   d--------   C:\Program Files\Mio Technology
2008-06-24 19:58 . 2008-06-24 19:59   <DIR>   d--------   C:\Program Files\Microsoft ActiveSync
2008-06-23 16:40 . 2008-06-23 16:41   14,263,208   --a------   C:\ndntplst.exe
2008-06-20 19:48 . 2008-06-20 19:48   246,784   ---------   C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 19:48 . 2008-06-20 19:48   147,968   ---------   C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 13:51 . 2008-06-20 13:51   361,600   ---------   C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 13:40 . 2008-06-20 13:40   138,496   ---------   C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 13:08 . 2008-06-20 13:08   225,856   ---------   C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-19 10:36 . 2008-06-19 10:36   <DIR>   d--------   C:\Temp\Partition
2008-06-19 10:36 . 2008-06-19 10:36   <DIR>   d--------   C:\Program Files\PowerQuest
2008-06-19 10:35 . 2008-06-19 10:33   23,776,770   --a------   C:\Temp\ENPM800RETAILDEMO[1].ZIP

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 08:18   ---------   d-----w   C:\Program Files\Opera
2008-06-25 09:02   ---------   d-----w   C:\Documents and Settings\Max\Dane aplikacji\foobar2000
2008-06-24 18:00   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-06-20 17:48   246,784   ----a-w   C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51   361,600   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40   138,496   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08   225,856   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 12:03   ---------   d-----w   C:\Program Files\Lenovo
2008-06-14 17:36   273,024   ------w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-14 17:36   273,024   ------w   C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 08:50   25,280   ----a-w   C:\Documents and Settings\Max\Dane aplikacji\GDIPFONTCACHEV1.DAT
2008-05-09 10:56   90,112   ----a-w   C:\WINDOWS\system32\wshext.dll
2008-05-09 10:56   90,112   ------w   C:\WINDOWS\system32\dllcache\wshext.dll
2008-05-09 10:56   512,000   ------w   C:\WINDOWS\system32\dllcache\jscript.dll
2008-05-09 10:56   430,080   ----a-w   C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:56   430,080   ------w   C:\WINDOWS\system32\dllcache\vbscript.dll
2008-05-09 10:56   180,224   ----a-w   C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:56   180,224   ------w   C:\WINDOWS\system32\dllcache\scrobj.dll
2008-05-09 10:56   172,032   ----a-w   C:\WINDOWS\system32\scrrun.dll
2008-05-09 10:56   172,032   ------w   C:\WINDOWS\system32\dllcache\scrrun.dll
2008-05-08 14:02   203,136   ------w   C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-08 11:24   155,648   ----a-w   C:\WINDOWS\system32\wscript.exe
2008-05-08 11:24   155,648   ------w   C:\WINDOWS\system32\dllcache\wscript.exe
2008-05-07 09:07   135,168   ----a-w   C:\WINDOWS\system32\cscript.exe
2008-05-07 09:07   135,168   ------w   C:\WINDOWS\system32\dllcache\cscript.exe
2008-05-07 05:12   1,291,776   ----a-w   C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12   1,291,776   ------w   C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 23:20   3,591,680   ----a-w   C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:43   70,656   ----a-w   C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:43   625,664   ----a-w   C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39   13,824   ----a-w   C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07   161,792   ----a-w   C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-16 15:20   0   ----a-w   C:\Program Files\path6.ini
2007-12-18 14:49   32,768   --sha-w   C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Feeds Cache\index.dat
.

(((((((((((((((((((((((((((((   snapshot@2008-07-15_11.29.37.64   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-15 10:49:24   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_468.dat
+ 2008-07-15 10:49:25   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_730.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
BTTray.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-02-27 18:43:30 561213]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-12-18 16:44:58 50688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]
Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk - C:\Program Files\SAGEM WiFi manager\WLANUTL.exe [2008-05-06 15:07:41 860160]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-14 23:17 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 17:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 04:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\TC PowerPack\\TOTALCMD.EXE"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Esko\\bg_prog_egsis_v010\\bin_ix86\\egsissrv.exe"=
"C:\\Esko\\bg_prog_egsis_v010\\bin_ix86\\EGSystemInfoTool.exe"=
"C:\\Program Files\\OrangeBS\\BEWInternet-PL\\Connectivity\\ConnectivityManager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13364:UDP"= 13364:UDP:Print Server Utility
"13107:UDP"= 13107:UDP:Print Server Utility
"69:UDP"= 69:UDP:Print Server Utility
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-03-02 18:49]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-03-02 18:47]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 10:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 12:24]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-06-17 18:16]
R2 ArtiosLM;Artios License Manager;C:\WINDOWS\system32\artioslm.exe [2000-07-10 17:25]
R2 EG Station Information Service;EG Station Information Service;C:\Esko\bg_prog_egsis_v010\bin_ix86\egsissrv.exe [2006-03-29 12:25]
R2 MSSQL$ARTIOSCADDB;MSSQL$ARTIOSCADDB;C:\Program Files\Microsoft SQL Server\MSSQL$ARTIOSCADDB\Binn\sqlservr.exe [2002-12-17 18:26]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-03-14 23:10]
R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 14:11]
R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2006-09-13 13:42]
S3 SG760_XP;SAGEM 802.11g XG760 1211 Driver;C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys [2006-01-09 11:26]
S3 SQLAgent$ARTIOSCADDB;SQLAgent$ARTIOSCADDB;C:\Program Files\Microsoft SQL Server\MSSQL$ARTIOSCADDB\Binn\sqlagent.EXE [2002-12-17 18:23]
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 20:45]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 20:45]
S3 ZDCndis5;ZDCndis5 Protocol Driver;C:\WINDOWS\system32\ZDCndis5.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{042fd632-bdc8-11dc-a635-001a6bcd67e3}]
\Shell\Auto\command - E:\UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{045365e3-36fa-11dd-a6db-001a6bcd67e3}]
\Shell\AutoRun\command - E:\wdsync.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a9fa134-1041-11dd-a6c2-001c26fe5f9b}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f16aac8-f83e-11dc-a6a2-001c26fe5f9b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-17 12:58:25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-15 10:49:41 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
"2007-12-18 15:19:47 C:\WINDOWS\Tasks\Przypomnienie o rejestracji 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-12-18 15:19:47 C:\WINDOWS\Tasks\Przypomnienie o rejestracji 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2008-07-15 10:19:00 C:\WINDOWS\Tasks\Sprawdź aktualizacje paska narzędzi Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 12:53:51
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-07-15 12:56:49
ComboFix-quarantined-files.txt  2008-07-15 10:55:45
ComboFix2.txt  2008-07-15 09:36:58

Pre-Run: 117,385,916,416 bajtów wolnych
Post-Run: 117,372,993,536 bajtów wolnych

170   --- E O F ---   2008-07-09 08:30:52


DSS main

Kod: Zaznacz wszystko

Deckard's System Scanner v20071014.68
Run by Max on 2008-07-15 13:00:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
54: 2008-07-15 11:00:09 UTC - RP135 - Deckard's System Scanner Restore Point
53: 2008-07-15 09:18:39 UTC - RP134 - ComboFix created restore point
52: 2008-07-15 08:18:13 UTC - RP133 - Zainstalowano: Opera 9.51
51: 2008-07-15 08:18:01 UTC - RP132 - Usunięto: Opera 9.50
50: 2008-07-14 09:13:35 UTC - RP131 - Punkt kontrolny systemu


-- First Restore Point --
1: 2008-04-15 23:14:26 UTC - RP82 - Punkt kontrolny systemu


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Max.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:00:51, on 2008-07-15
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\artioslm.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Esko\bg_prog_egsis_v010\bin_ix86\egsissrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ARTIOSCADDB\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\PROGRA~1\Lenovo\LENOVO~1\LPMGR.exe
C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\X-Guard\X-Guard.exe
C:\Program Files\ADRGrabber\ADRGrabber.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Max.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.pl/0SEPLPL/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~1\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BEWINTERNET-PLSessionManager] C:\Program Files\OrangeBS\BEWInternet-PL\SessionManager\SessionManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [X-Guard] C:\Program Files\X-Guard\X-Guard.exe
O4 - HKLM\..\Run: [XGADRGrabber] C:\Program Files\ADRGrabber\ADRGrabber.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Wyślij do urządzenia &Bluetooth... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198147983734
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Artios License Manager (ArtiosLM) - Unknown owner - C:\WINDOWS\system32\artioslm.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EG Station Information Service - Esko-Graphics - C:\Esko\bg_prog_egsis_v010\bin_ix86\egsissrv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom SA - C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--
End of file - 13616 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080715-123127-893 O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
backup-20080715-123127-976 O4 - HKLM\..\Run: [Winengine] C:\WINDOWS\lsass.exe
backup-20080715-124802-890 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080715-124816-463 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

-- File Associations -----------------------------------------------------------

[COLOR=red].cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*[/COLOR]
[COLOR=red].cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*[/COLOR]


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ANC - c:\windows\system32\drivers\anc.sys <Not Verified; IBM Corp.; IBM Access Connections>
R1 IBMTPCHK - c:\windows\system32\drivers\ibmbldid.sys
R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
R1 TPPWRIF - c:\windows\system32\drivers\tppwrif.sys
R1 TSMAPIP - c:\windows\system32\drivers\tsmapip.sys
R2 pmem - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>

S3 PCAMPR5 (PCAMPR5 NDIS Protocol Driver) - c:\windows\system32\pcampr5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 PCANDIS5 (PCANDIS5 NDIS Protocol Driver) - c:\windows\system32\pcandis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)
S3 ZDCndis5 (ZDCndis5 Protocol Driver) - c:\windows\system32\zdcndis5.sys (file missing)
S3 ZDPNDIS5 (ZDPNDIS5 NDIS Protocol Driver) - c:\windows\system32\zdpndis5.sys (file missing)
S3 ZDPSp50 (ZDPSp50 NDIS Protocol Driver) - c:\windows\system32\drivers\zdpsp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ArtiosLM (Artios License Manager) - c:\windows\system32\artioslm.exe
R2 Diskeeper - "c:\program files\diskeeper corporation\diskeeper\dkservice.exe" <Not Verified; Diskeeper Corporation; Diskeeper (TM) Disk Defragmenter>
R2 EG Station Information Service - "c:\esko\bg_prog_egsis_v010\bin_ix86\egsissrv.exe" -s <Not Verified; Esko-Graphics; Esko-Graphics egsissrv>
R2 FTRTSVC (France Telecom Routing Table Service) - "c:\progra~1\common~1\france telecom\shared modules\ftrtsvc\0\ftrtsvc.exe" <Not Verified; France Telecom SA; CSS-Corporate>
R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>
R2 SUService (System Update) - c:\program files\lenovo\system update\suservice.exe <Not Verified; Lenovo Group Limited; ThinkVantage System Update Service>
R2 TVT Backup Protection Service - "c:\program files\lenovo\rescue and recovery\rrpservice.exe" <Not Verified; ; rrpservice Module>
R2 TVT Scheduler - "c:\program files\common files\lenovo\scheduler\tvtsched.exe" <Not Verified; Lenovo Group Limited; tvtsched Module>
R2 tvtnetwk - c:\program files\lenovo\rescue and recovery\adm\iuservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-15 12:49:41       316 --a------ C:\WINDOWS\Tasks\PMTask.job
2008-07-15 12:19:00       250 --a------ C:\WINDOWS\Tasks\Sprawdź aktualizacje paska narzędzi Windows Live Toolbar.job
2008-04-17 14:58:25       284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-12-18 17:19:47       258 --a------ C:\WINDOWS\Tasks\Przypomnienie o rejestracji 2.job
2007-12-18 17:19:47       258 --a------ C:\WINDOWS\Tasks\Przypomnienie o rejestracji 1.job


-- Files created between 2008-06-15 and 2008-07-15 -----------------------------

2008-07-15 12:59:28    686630 --a------ C:\dss.exe
2008-07-15 11:18:19     68096 --a------ C:\WINDOWS\zip.exe
2008-07-15 11:18:19     49152 --a------ C:\WINDOWS\VFind.exe
2008-07-15 11:18:19    212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-15 11:18:19    136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-15 11:18:19    161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-15 11:18:19     98816 --a------ C:\WINDOWS\sed.exe
2008-07-15 11:18:19     80412 --a------ C:\WINDOWS\grep.exe
2008-07-15 11:18:19     89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-15 11:17:43         0 d-------- C:\Program Files\Trend Micro
2008-07-15 11:15:41   2613152 --a------ C:\ComboFix.exe
2008-07-03 11:10:37         0 d-------- C:\Program Files\GetRight
2008-07-03 11:09:45         0 d-------- C:\Downloads <DOWNLO~1>
2008-06-24 19:59:51         0 d-------- C:\Program Files\Mio Technology
2008-06-24 19:58:57         0 d-------- C:\Program Files\Microsoft ActiveSync
2008-06-23 16:40:44  14263208 --a------ C:\ndntplst.exe
2008-06-19 10:36:41         0 d-------- C:\Program Files\PowerQuest


-- Find3M Report ---------------------------------------------------------------

2008-07-15 12:49:24       202 --a------ C:\WINDOWS\system32\PSLOG
2008-07-15 10:18:16         0 d-------- C:\Program Files\Opera
2008-07-03 11:17:08         0 d-------- C:\Documents and Settings\Max\Dane aplikacji\GetRight
2008-07-03 11:11:24         0 d-------- C:\Documents and Settings\Max\Dane aplikacji\GetRightToGo
2008-06-25 11:02:45         0 d-------- C:\Documents and Settings\Max\Dane aplikacji\foobar2000
2008-06-24 20:12:39      2528 --a------ C:\Documents and Settings\Max\Dane aplikacji\$_hpcst$.hpc
2008-06-24 20:00:06         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-19 14:03:38         0 d-------- C:\Program Files\Lenovo
2008-06-11 10:50:48     25280 --a------ C:\Documents and Settings\Max\Dane aplikacji\GDIPFONTCACHEV1.DAT
2008-06-05 11:30:43         0 d-------- C:\Program Files\Messenger
2008-06-05 11:24:56         0 d-------- C:\Program Files\Movie Maker
2008-06-05 11:21:11         0 d-------- C:\Program Files\Windows NT
2008-04-28 11:56:48      4416 --a------ C:\WINDOWS\srcdata.dat
2008-04-28 11:56:48   1143808 --a------ C:\WINDOWS\rcgdata.dat <Not Verified; ; X-Guard II>
2008-04-28 11:56:48      6148 --a------ C:\WINDOWS\lrcdata.dat
2008-04-16 17:20:50         0 --a------ C:\Program Files\path6.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-06-17 18:16]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-06-17 18:16]
"TPFNF7"="C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-12-20 04:04]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 07:49]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2007-03-05 15:27]
"TpShocks"="TpShocks.exe" [2007-03-29 19:40 C:\WINDOWS\system32\TpShocks.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 19:32]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 10:34]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-02-02 06:20]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 12:51]
"LPManager"="C:\PROGRA~1\Lenovo\LENOVO~1\LPMGR.exe" [2007-07-13 03:11]
"AMSG"="C:\PROGRA~1\THINKV~1\AMSG\amsg.exe" [2007-02-01 20:00]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 17:24]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 15:58]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 15:51]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [2007-01-30 20:01]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-19 13:22]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 19:19]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-08-15 16:07]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-08-15 16:07]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-08-15 16:07]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16]
"BEWINTERNET-PLSessionManager"="C:\Program Files\OrangeBS\BEWInternet-PL\SessionManager\SessionManager.exe" [2007-07-24 20:03]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37]
"X-Guard"="C:\Program Files\X-Guard\X-Guard.exe" [2008-04-28 11:56]
"XGADRGrabber"="C:\Program Files\ADRGrabber\ADRGrabber.exe" [2008-04-28 11:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 19:21]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 19:21]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-12-01 12:46]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\WINDOWS\system32\psqlpwd.dll 2007-03-14 23:17 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 17:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 04:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs   eaphost
dot3svc   dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{042fd632-bdc8-11dc-a635-001a6bcd67e3}]
Auto\command- E:\UFO.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{045365e3-36fa-11dd-a6db-001a6bcd67e3}]
AutoRun\command- E:\wdsync.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a9fa134-1041-11dd-a6c2-001c26fe5f9b}]
AutoRun\command- E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f16aac8-f83e-11dc-a6a2-001c26fe5f9b}]
AutoRun\command- E:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-07-15 13:01:23 ------------



[ Dodano: Dzisiaj o 13:11 ]
Jeszcze brakujący extra HJT:

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:15, on 2008-07-15
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\artioslm.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Esko\bg_prog_egsis_v010\bin_ix86\egsissrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ARTIOSCADDB\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\PROGRA~1\Lenovo\LENOVO~1\LPMGR.exe
C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\X-Guard\X-Guard.exe
C:\Program Files\ADRGrabber\ADRGrabber.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.pl/0SEPLPL/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~1\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BEWINTERNET-PLSessionManager] C:\Program Files\OrangeBS\BEWInternet-PL\SessionManager\SessionManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [X-Guard] C:\Program Files\X-Guard\X-Guard.exe
O4 - HKLM\..\Run: [XGADRGrabber] C:\Program Files\ADRGrabber\ADRGrabber.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Wyślij do urządzenia &Bluetooth... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198147983734
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Artios License Manager (ArtiosLM) - Unknown owner - C:\WINDOWS\system32\artioslm.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EG Station Information Service - Esko-Graphics - C:\Esko\bg_prog_egsis_v010\bin_ix86\egsissrv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom SA - C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--
End of file - 13668 bytes


extra DSS sie nie zmiescil:

http://wklej.org/id/6ccecea320

[wojtas]

skasuj te pliki:

C:\Documents and Settings\Max\settmo.dat
C:\Documents and Settings\Max\ntoken.dat

wklej do notatnika

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{045365e3-36fa-11dd-a6db-001a6bcd67e3}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{042fd632-bdc8-11dc-a635-001a6bcd67e3}]

w notatniku u góry>>>plik zapisz jako>>>Zmien rozszerzenie z TXT na Wszystkie pliki *.* >>> Zapisz pod nazwą FIX.REG

Klikasz dwa razy na powstały plik fix i dodajesz go do rejestru....




Wykonaj to co jest podane w tym temacie

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz daj loga z hijacka

Autor postu otrzymał pochwałę

[Dzi@dek]

1. Uruchom rejestr (wybierz Start - Uruchom i wpisz regedit)
2. Odszukaj klucz: HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Policies\System.
3. Dane (typu DWORD) o nazwie DisableRegedit
4. Jako jej wartość podaj 0.
5. Zamknij edytor i uruchom ponownie komputer.


Wklej do notatnika:

Kod: Zaznacz wszystko

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{042fd632-bdc8-11dc-a635-001a6bcd67e3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{045365e3-36fa-11dd-a6db-001a6bcd67e3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a9fa134-1041-11dd-a6c2-001c26fe5f9b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f16aac8-f83e-11dc-a6a2-001c26fe5f9b}]

Plik Zapisz jako... CFScript - najlepiej jeśli zapiszesz w

takiej lokalizacji, by ikona CFScript.txt znalazła się obok ikony ComboFix.exe
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
Potwierdz zrestartuje sie komputer.

Jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER. Rozpocznie się proces usuwania.

Daj nowe logi z Combofix oraz Hijackthis.


i usuń te wpisy:

O4 - HKLM\..\Run: [Winengine] C:\WINDOWS\lsass.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

[Bart_72]

Witam ponownie!

Regedit nie chce się odpalić nawet w trybie awaryjnym, info o zablokowaniu regedit pojawialo sie także podczas działań combofixa. Nie mogę też nic dodać do rejestru. Porty pozamykałem.

Logi SDFix:

Kod: Zaznacz wszystko

[b]SDFix: Version 1.205 [/b]
Run by Max on 2008-07-15 at 13:42

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

No Trojan Files Found






Removing Temp Files

[b]ADS Check [/b]:



                                 [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 13:48:30
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000000ae
"TracesSuccessful"=dword:00000004

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\TC PowerPack\\TOTALCMD.EXE"="C:\\Program Files\\TC PowerPack\\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows"
"C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program gˆ˘wny"
"C:\\Esko\\bg_prog_egsis_v010\\bin_ix86\\egsissrv.exe"="C:\\Esko\\bg_prog_egsis_v010\\bin_ix86\\egsissrv.exe:*:Enabled:EGSIS"
"C:\\Esko\\bg_prog_egsis_v010\\bin_ix86\\EGSystemInfoTool.exe"="C:\\Esko\\bg_prog_egsis_v010\\bin_ix86\\EGSystemInfoTool.exe:*:Enabled:EGSISCLT"
"C:\\Program Files\\OrangeBS\\BEWInternet-PL\\Connectivity\\ConnectivityManager.exe"="C:\\Program Files\\OrangeBS\\BEWInternet-PL\\Connectivity\\ConnectivityManager.exe:*:enabled:CSS"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[b]Remaining Files [/b]:



[b]Files with Hidden Attributes [/b]:

Tue 18 Dec 2007     6,190,904 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 24 Oct 2005         1,676 A.SHR --- "C:\Documents and Settings\All Users\Dokumenty\MSDOS.BAK"
Mon 21 Apr 2008        26,112 A..H. --- "C:\Documents and Settings\Max\Moje dokumenty\~WRL0811.tmp"
Mon  4 Jun 2007        25,088 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL0003.tmp"
Thu 10 May 2007        35,840 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL0004.tmp"
Fri 11 May 2007        38,400 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL0005.tmp"
Mon  4 Jun 2007        19,968 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL0006.tmp"
Mon 10 Sep 2007        39,936 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL0007.tmp"
Mon 19 Nov 2007        20,480 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL0008.tmp"
Thu  1 Feb 2007        99,840 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL0125.tmp"
Thu  1 Feb 2007        85,504 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL0204.tmp"
Mon 16 Apr 2007        19,968 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL0333.tmp"
Mon 16 Apr 2007        20,480 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL0381.tmp"
Tue 11 Sep 2007        65,024 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL0402.tmp"
Tue 11 Sep 2007        61,440 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL0715.tmp"
Tue 11 Sep 2007        46,080 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL0748.tmp"
Tue 11 Sep 2007        66,048 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL0749.tmp"
Tue 11 Sep 2007        69,632 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL0792.tmp"
Mon  4 Jun 2007        24,576 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL0796.tmp"
Thu  1 Feb 2007       122,368 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL0962.tmp"
Wed 18 Jul 2007        25,088 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL1245.tmp"
Mon 16 Apr 2007        19,968 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL1293.tmp"
Thu  4 Oct 2007        20,992 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL1470.tmp"
Mon 17 Dec 2007        31,232 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL1587.tmp"
Tue 11 Sep 2007        58,368 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL1674.tmp"
Tue 11 Sep 2007        45,056 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL1686.tmp"
Mon 16 Apr 2007        19,968 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL1941.tmp"
Thu  1 Feb 2007        98,304 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL1969.tmp"
Mon  4 Jun 2007        20,992 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL2180.tmp"
Thu  1 Feb 2007        95,744 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL2189.tmp"
Mon  4 Jun 2007        20,480 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL2351.tmp"
Thu  1 Feb 2007       118,272 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL2529.tmp"
Thu 22 Nov 2007        23,552 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL2854.tmp"
Mon  4 Jun 2007        22,016 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL3030.tmp"
Thu 15 Nov 2007        29,696 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL3186.tmp"
Thu  1 Feb 2007       109,056 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL3494.tmp"
Tue 11 Sep 2007        79,872 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL3524.tmp"
Mon 19 Nov 2007        20,480 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL3525.tmp"
Thu  1 Feb 2007        95,744 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL3561.tmp"
Tue 11 Sep 2007        56,320 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL3644.tmp"
Tue 11 Sep 2007        59,392 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL3880.tmp"
Thu  4 Oct 2007        20,480 A..H. --- "C:\Documents and Settings\All Users\Dokumenty\Moje dokumenty\~WRL3939.tmp"
Mon 17 Mar 2008             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 12 Feb 2007     3,096,576 A..H. --- "C:\Documents and Settings\Max\Dane aplikacji\U3\temp\Launchpad Removal.exe"
Wed  4 Oct 2006     3,072,000 A..H. --- "C:\Documents and Settings\Max\Pulpit\Kamila Backup\temp\Kamila\Dane aplikacji\U3\temp\Launchpad Removal.exe"

[b]Finished![/b]



ComboFix

Kod: Zaznacz wszystko


ComboFix 08-07-14.2 - Max 2008-07-15 14:00:53.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.48.1045.18.517 [GMT 2:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\CFScript.txt
* Created a new restore point
* Resident AV is active


[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((   Files Created from 2008-06-15 to 2008-07-15  )))))))))))))))))))))))))))))))
.

2008-07-15 13:59 . 2008-07-15 14:01   120   --a------   C:\Documents and Settings\Max\settmo.dat
2008-07-15 13:57 . 2008-07-15 13:57   320   --a------   C:\Documents and Settings\Max\ntoken.dat
2008-07-15 13:39 . 2008-07-15 13:39   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-07-15 13:34 . 2008-07-15 13:51   <DIR>   d--------   C:\SDFix
2008-07-15 12:59 . 2008-07-15 12:59   <DIR>   d--------   C:\Deckard
2008-07-15 12:59 . 2008-07-15 12:59   686,630   --a------   C:\dss.exe
2008-07-15 11:17 . 2008-07-15 11:17   <DIR>   d--------   C:\Program Files\Trend Micro
2008-07-15 11:15 . 2008-07-15 11:15   2,613,152   --a------   C:\ComboFix.exe
2008-07-09 13:38 . 2008-07-09 13:38   2,094   --a------   C:\WKLADKA FALISTA 4.ACM
2008-07-03 11:10 . 2008-07-03 11:10   <DIR>   d--------   C:\Program Files\GetRight
2008-07-03 11:10 . 2008-07-03 11:17   <DIR>   d--------   C:\Documents and Settings\Max\Dane aplikacji\GetRight
2008-07-03 11:09 . 2008-07-03 11:14   <DIR>   d--------   C:\Downloads
2008-07-03 11:09 . 2008-07-03 11:11   <DIR>   d--------   C:\Documents and Settings\Max\Dane aplikacji\GetRightToGo
2008-06-24 19:59 . 2008-06-24 19:59   <DIR>   d--------   C:\Program Files\Mio Technology
2008-06-24 19:58 . 2008-06-24 19:59   <DIR>   d--------   C:\Program Files\Microsoft ActiveSync
2008-06-23 16:40 . 2008-06-23 16:41   14,263,208   --a------   C:\ndntplst.exe
2008-06-20 19:48 . 2008-06-20 19:48   246,784   ---------   C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 19:48 . 2008-06-20 19:48   147,968   ---------   C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 13:51 . 2008-06-20 13:51   361,600   ---------   C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 13:40 . 2008-06-20 13:40   138,496   ---------   C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 13:08 . 2008-06-20 13:08   225,856   ---------   C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-19 10:36 . 2008-06-19 10:36   <DIR>   d--------   C:\Temp\Partition
2008-06-19 10:36 . 2008-06-19 10:36   <DIR>   d--------   C:\Program Files\PowerQuest
2008-06-19 10:35 . 2008-06-19 10:33   23,776,770   --a------   C:\Temp\ENPM800RETAILDEMO[1].ZIP

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 08:18   ---------   d-----w   C:\Program Files\Opera
2008-06-25 09:02   ---------   d-----w   C:\Documents and Settings\Max\Dane aplikacji\foobar2000
2008-06-24 18:00   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-06-20 17:48   246,784   ----a-w   C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51   361,600   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40   138,496   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08   225,856   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 12:03   ---------   d-----w   C:\Program Files\Lenovo
2008-06-14 17:36   273,024   ------w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-14 17:36   273,024   ------w   C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 08:50   25,280   ----a-w   C:\Documents and Settings\Max\Dane aplikacji\GDIPFONTCACHEV1.DAT
2008-05-09 10:56   90,112   ----a-w   C:\WINDOWS\system32\wshext.dll
2008-05-09 10:56   90,112   ------w   C:\WINDOWS\system32\dllcache\wshext.dll
2008-05-09 10:56   512,000   ------w   C:\WINDOWS\system32\dllcache\jscript.dll
2008-05-09 10:56   430,080   ----a-w   C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:56   430,080   ------w   C:\WINDOWS\system32\dllcache\vbscript.dll
2008-05-09 10:56   180,224   ----a-w   C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:56   180,224   ------w   C:\WINDOWS\system32\dllcache\scrobj.dll
2008-05-09 10:56   172,032   ----a-w   C:\WINDOWS\system32\scrrun.dll
2008-05-09 10:56   172,032   ------w   C:\WINDOWS\system32\dllcache\scrrun.dll
2008-05-08 14:02   203,136   ------w   C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-08 11:24   155,648   ----a-w   C:\WINDOWS\system32\wscript.exe
2008-05-08 11:24   155,648   ------w   C:\WINDOWS\system32\dllcache\wscript.exe
2008-05-07 09:07   135,168   ----a-w   C:\WINDOWS\system32\cscript.exe
2008-05-07 09:07   135,168   ------w   C:\WINDOWS\system32\dllcache\cscript.exe
2008-05-07 05:12   1,291,776   ----a-w   C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12   1,291,776   ------w   C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 23:20   3,591,680   ----a-w   C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:43   70,656   ----a-w   C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:43   625,664   ----a-w   C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39   13,824   ----a-w   C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07   161,792   ----a-w   C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-16 15:20   0   ----a-w   C:\Program Files\path6.ini
2007-12-18 14:49   32,768   --sha-w   C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Feeds Cache\index.dat
.

(((((((((((((((((((((((((((((   snapshot@2008-07-15_11.29.37.64   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-14 21:41:59   163,328   ----a-w   C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-07-15 11:39:27   4,042,752   ----a-w   C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-07-15 11:39:27   151,552   ----a-w   C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-07-14 21:41:59   163,328   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-07-15 11:39:25   4,042,752   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-07-15 11:39:25   151,552   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000002\UsrClass.dat
- 2008-04-11 07:42:16   71,342   ----a-w   C:\WINDOWS\system32\perfc009.dat
+ 2008-07-15 11:50:38   71,478   ----a-w   C:\WINDOWS\system32\perfc009.dat
- 2008-04-11 07:42:16   88,980   ----a-w   C:\WINDOWS\system32\perfc015.dat
+ 2008-07-15 11:50:38   89,200   ----a-w   C:\WINDOWS\system32\perfc015.dat
- 2008-04-11 07:42:16   424,356   ----a-w   C:\WINDOWS\system32\perfh009.dat
+ 2008-07-15 11:50:38   424,492   ----a-w   C:\WINDOWS\system32\perfh009.dat
- 2008-04-11 07:42:16   481,920   ----a-w   C:\WINDOWS\system32\perfh015.dat
+ 2008-07-15 11:50:38   482,264   ----a-w   C:\WINDOWS\system32\perfh015.dat
+ 2008-07-15 11:56:54   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_404.dat
+ 2008-07-15 11:56:55   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_574.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
BTTray.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-02-27 18:43:30 561213]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-12-18 16:44:58 50688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]
Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk - C:\Program Files\SAGEM WiFi manager\WLANUTL.exe [2008-05-06 15:07:41 860160]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-14 23:17 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 17:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 04:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\TC PowerPack\\TOTALCMD.EXE"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Esko\\bg_prog_egsis_v010\\bin_ix86\\egsissrv.exe"=
"C:\\Esko\\bg_prog_egsis_v010\\bin_ix86\\EGSystemInfoTool.exe"=
"C:\\Program Files\\OrangeBS\\BEWInternet-PL\\Connectivity\\ConnectivityManager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13364:UDP"= 13364:UDP:Print Server Utility
"13107:UDP"= 13107:UDP:Print Server Utility
"69:UDP"= 69:UDP:Print Server Utility
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-03-02 18:49]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-03-02 18:47]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 10:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 12:24]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-06-17 18:16]
R2 ArtiosLM;Artios License Manager;C:\WINDOWS\system32\artioslm.exe [2000-07-10 17:25]
R2 EG Station Information Service;EG Station Information Service;C:\Esko\bg_prog_egsis_v010\bin_ix86\egsissrv.exe [2006-03-29 12:25]
R2 MSSQL$ARTIOSCADDB;MSSQL$ARTIOSCADDB;C:\Program Files\Microsoft SQL Server\MSSQL$ARTIOSCADDB\Binn\sqlservr.exe [2002-12-17 18:26]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-03-14 23:10]
R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 14:11]
R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2006-09-13 13:42]
S3 SG760_XP;SAGEM 802.11g XG760 1211 Driver;C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys [2006-01-09 11:26]
S3 SQLAgent$ARTIOSCADDB;SQLAgent$ARTIOSCADDB;C:\Program Files\Microsoft SQL Server\MSSQL$ARTIOSCADDB\Binn\sqlagent.EXE [2002-12-17 18:23]
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 20:45]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 20:45]
S3 ZDCndis5;ZDCndis5 Protocol Driver;C:\WINDOWS\system32\ZDCndis5.SYS []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-17 12:58:25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-15 11:57:12 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
"2007-12-18 15:19:47 C:\WINDOWS\Tasks\Przypomnienie o rejestracji 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-12-18 15:19:47 C:\WINDOWS\Tasks\Przypomnienie o rejestracji 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2008-07-15 11:19:01 C:\WINDOWS\Tasks\Sprawdź aktualizacje paska narzędzi Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 14:03:44
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-07-15 14:06:24
ComboFix-quarantined-files.txt  2008-07-15 12:05:20
ComboFix2.txt  2008-07-15 10:56:50
ComboFix3.txt  2008-07-15 09:36:58

Pre-Run: 117,217,218,560 bajtów wolnych
Post-Run: 117,207,601,152 bajtów wolnych

182   --- E O F ---   2008-07-09 08:30:52


HJT

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:09:14, on 2008-07-15
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\artioslm.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Esko\bg_prog_egsis_v010\bin_ix86\egsissrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ARTIOSCADDB\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\PROGRA~1\Lenovo\LENOVO~1\LPMGR.exe
C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\X-Guard\X-Guard.exe
C:\Program Files\ADRGrabber\ADRGrabber.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.pl/0SEPLPL/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~1\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BEWINTERNET-PLSessionManager] C:\Program Files\OrangeBS\BEWInternet-PL\SessionManager\SessionManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [X-Guard] C:\Program Files\X-Guard\X-Guard.exe
O4 - HKLM\..\Run: [XGADRGrabber] C:\Program Files\ADRGrabber\ADRGrabber.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Wyślij do urządzenia &Bluetooth... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198147983734
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Artios License Manager (ArtiosLM) - Unknown owner - C:\WINDOWS\system32\artioslm.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EG Station Information Service - Esko-Graphics - C:\Esko\bg_prog_egsis_v010\bin_ix86\egsissrv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom SA - C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--
End of file - 13588 bytes


[Magik]

Witam ponownie!

Regedit nie chce się odpalić nawet w trybie awaryjnym, info o zablokowaniu regedit pojawialo sie także podczas działań combofixa. Nie mogę też nic dodać do rejestru.

bo, masz taki wpis

Kod: Zaznacz wszystko

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

usun go, on blokoju rejestr

[Bart_72]

Witam ponownie!

Regedit nie chce się odpalić nawet w trybie awaryjnym, info o zablokowaniu regedit pojawialo sie także podczas działań combofixa. Nie mogę też nic dodać do rejestru.

bo, masz taki wpis

Kod: Zaznacz wszystko

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

usun go, on blokoju rejestr

Wielokrotnie go zaznaczałem w HJT, ale on nadal nie znika. Poza tym, żeby usunąć ten wpis, muszę wejść do regedit, a regedit nie działa, bo jest ten wpis. Kwadratura koła... Help

[Magik]

Wielokrotnie go zaznaczałem w HJT, ale on nadal nie znika. Poza tym, żeby usunąć ten wpis, muszę wejść do regedit, a regedit nie działa, bo jest ten wpis. Kwadratura koła... Help

nie ma to jak Brontok


sciagnij Gmer'a
http://www.gmer.net/index.php

W zakładce CMD REGEDIT wklej

Kod: Zaznacz wszystko

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

i daj na "uruchom"

[Dzi@dek]

Start-uruchom- i wpisz -> gpedit.msc [enter]
przejdź do : konfiguracja użytkownika -> szablony administracyjne->system.
Odszukaj wpis zapobiegaj dostępowi do narzędzi edycji rejestru - właściwości - WYŁĄCZ.

MUSISZ to robić zalogowany na koncie administratora.

Autor postu otrzymał pochwałę

[Bart_72]

Niestety, nadal nie moge sie dopchac do rejestru, mimo zalaczenia opcji w gpedit. A w gmerze pojawia sie wiadomy komunikat, czyli edycja rejestru zostala wylaczona przez administratora sieci.

Ale cos zauwazylem. Moge na chwile wywalic ten nieszczesny wpis przy pomocy narzedzia rejestru w TC UP, po chwili sam sie znow pojawia...

[Okocza]

otwórz notatnik i wklej:

Kod: Zaznacz wszystko

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\]
"DisableRegistryTools"=dword:00000000

lub:

Kod: Zaznacz wszystko

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableRegistryTools"=–
"DisableRegedit"=–

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableRegistryTools"=–
"DisableRegedit"=–

zapisujesz fix.reg i dodajesz do rejestru...

Autor postu otrzymał pochwałę

[Bart_72]

Chyba juz wiem, co blokuje rejestr. Zainstalowalem taki program do ochrony rodzicielskiej X-Guard II. To on prawdopodobnie blokowal rejestr, a nie moglem go wylaczyc, bo cos sie w nim popsulo. Wywalilem proces X-Guarda, potem wpis przy pomocy TC UP i juz sie nie odnawia w rejestrze. Program nie ma deinstalera, wiec wydaje mi sie, ze jest mocno dziwny.

[ Dodano: Dzisiaj o 16:02 ]
Oto logi, spójrzcie proszę...

ComboFix

Kod: Zaznacz wszystko

ComboFix 08-07-14.2 - Max 2008-07-15 15:55:23.6 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.48.1045.18.534 [GMT 2:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\CFScript.txt
* Created a new restore point
* Resident AV is active


[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\lsass.exe
C:\WINDOWS\system32\slfxdat.dll

.
(((((((((((((((((((((((((   Files Created from 2008-06-15 to 2008-07-15  )))))))))))))))))))))))))))))))
.

2008-07-15 14:53 . 2008-07-15 14:53   120   --a------   C:\Documents and Settings\Administrator\settmo.dat
2008-07-15 14:51 . 2008-07-15 14:51   <DIR>   d--------   C:\Documents and Settings\Administrator\Dane aplikacji\Intel
2008-07-15 14:50 . 2008-07-15 14:50   320   --a------   C:\Documents and Settings\Administrator\ntoken.dat
2008-07-15 14:43 . 2008-07-15 14:43   <DIR>   d--h-----   C:\WINDOWS\system32\GroupPolicy
2008-07-15 14:41 . 2008-07-15 14:59   250   --a------   C:\WINDOWS\gmer.ini
2008-07-15 13:59 . 2008-07-15 15:37   120   --a------   C:\Documents and Settings\Max\settmo.dat
2008-07-15 13:57 . 2008-07-15 15:06   320   --a------   C:\Documents and Settings\Max\ntoken.dat
2008-07-15 13:39 . 2008-07-15 13:39   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-07-15 13:34 . 2008-07-15 13:51   <DIR>   d--------   C:\SDFix
2008-07-15 12:59 . 2008-07-15 12:59   <DIR>   d--------   C:\Deckard
2008-07-15 12:59 . 2008-07-15 12:59   686,630   --a------   C:\dss.exe
2008-07-15 11:17 . 2008-07-15 11:17   <DIR>   d--------   C:\Program Files\Trend Micro
2008-07-15 11:15 . 2008-07-15 11:15   2,613,152   --a------   C:\ComboFix.exe
2008-07-09 13:38 . 2008-07-09 13:38   2,094   --a------   C:\WKLADKA FALISTA 4.ACM
2008-07-03 11:10 . 2008-07-03 11:10   <DIR>   d--------   C:\Program Files\GetRight
2008-07-03 11:10 . 2008-07-03 11:17   <DIR>   d--------   C:\Documents and Settings\Max\Dane aplikacji\GetRight
2008-07-03 11:09 . 2008-07-03 11:14   <DIR>   d--------   C:\Downloads
2008-07-03 11:09 . 2008-07-03 11:11   <DIR>   d--------   C:\Documents and Settings\Max\Dane aplikacji\GetRightToGo
2008-06-24 19:59 . 2008-06-24 19:59   <DIR>   d--------   C:\Program Files\Mio Technology
2008-06-24 19:58 . 2008-06-24 19:59   <DIR>   d--------   C:\Program Files\Microsoft ActiveSync
2008-06-23 16:40 . 2008-06-23 16:41   14,263,208   --a------   C:\ndntplst.exe
2008-06-20 19:48 . 2008-06-20 19:48   246,784   ---------   C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 19:48 . 2008-06-20 19:48   147,968   ---------   C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 13:51 . 2008-06-20 13:51   361,600   ---------   C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 13:40 . 2008-06-20 13:40   138,496   ---------   C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 13:08 . 2008-06-20 13:08   225,856   ---------   C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-19 10:36 . 2008-06-19 10:36   <DIR>   d--------   C:\Temp\Partition
2008-06-19 10:36 . 2008-06-19 10:36   <DIR>   d--------   C:\Program Files\PowerQuest
2008-06-19 10:35 . 2008-06-19 10:33   23,776,770   --a------   C:\Temp\ENPM800RETAILDEMO[1].ZIP

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 08:18   ---------   d-----w   C:\Program Files\Opera
2008-06-25 09:02   ---------   d-----w   C:\Documents and Settings\Max\Dane aplikacji\foobar2000
2008-06-24 18:00   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-06-20 17:48   246,784   ----a-w   C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51   361,600   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40   138,496   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08   225,856   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 12:03   ---------   d-----w   C:\Program Files\Lenovo
2008-06-14 17:36   273,024   ------w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-14 17:36   273,024   ------w   C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 08:50   25,280   ----a-w   C:\Documents and Settings\Max\Dane aplikacji\GDIPFONTCACHEV1.DAT
2008-05-09 10:56   90,112   ----a-w   C:\WINDOWS\system32\wshext.dll
2008-05-09 10:56   90,112   ------w   C:\WINDOWS\system32\dllcache\wshext.dll
2008-05-09 10:56   512,000   ------w   C:\WINDOWS\system32\dllcache\jscript.dll
2008-05-09 10:56   430,080   ----a-w   C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:56   430,080   ------w   C:\WINDOWS\system32\dllcache\vbscript.dll
2008-05-09 10:56   180,224   ----a-w   C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:56   180,224   ------w   C:\WINDOWS\system32\dllcache\scrobj.dll
2008-05-09 10:56   172,032   ----a-w   C:\WINDOWS\system32\scrrun.dll
2008-05-09 10:56   172,032   ------w   C:\WINDOWS\system32\dllcache\scrrun.dll
2008-05-08 14:02   203,136   ------w   C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-08 11:24   155,648   ----a-w   C:\WINDOWS\system32\wscript.exe
2008-05-08 11:24   155,648   ------w   C:\WINDOWS\system32\dllcache\wscript.exe
2008-05-07 09:07   135,168   ----a-w   C:\WINDOWS\system32\cscript.exe
2008-05-07 09:07   135,168   ------w   C:\WINDOWS\system32\dllcache\cscript.exe
2008-05-07 05:12   1,291,776   ----a-w   C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12   1,291,776   ------w   C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 23:20   3,591,680   ----a-w   C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:43   70,656   ----a-w   C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:43   625,664   ----a-w   C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39   13,824   ----a-w   C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07   161,792   ----a-w   C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-16 15:20   0   ----a-w   C:\Program Files\path6.ini
2007-12-18 14:49   32,768   --sha-w   C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Feeds Cache\index.dat
.

(((((((((((((((((((((((((((((   snapshot@2008-07-15_11.29.37.64   )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-20 15:04:32   1,523,536   ----a-w   C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
+ 2008-03-24 17:33:02   1,527,056   ----a-w   C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
+ 2008-07-14 21:41:59   163,328   ----a-w   C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-07-15 11:39:27   4,042,752   ----a-w   C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-07-15 11:39:27   151,552   ----a-w   C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-07-14 21:41:59   163,328   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-07-15 11:39:25   4,042,752   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-07-15 11:39:25   151,552   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-07-15 12:41:45   884,736   ----a-w   C:\WINDOWS\gmer.dll
+ 2008-04-17 19:13:02   811,008   ----a-w   C:\WINDOWS\gmer.exe
- 2008-04-28 09:56:48   6,148   ----a-w   C:\WINDOWS\lrcdata.dat
+ 2008-07-15 13:32:13   6,148   ----a-w   C:\WINDOWS\lrcdata.dat
- 2008-04-28 09:56:48   1,143,808   ----a-w   C:\WINDOWS\rcgdata.dat
+ 2008-07-15 13:32:13   1,143,808   ----a-w   C:\WINDOWS\rcgdata.dat
- 2008-04-28 09:56:48   4,416   ----a-w   C:\WINDOWS\srcdata.dat
+ 2008-07-15 13:32:13   4,416   ----a-w   C:\WINDOWS\srcdata.dat
+ 2008-07-15 12:41:45   85,969   ----a-w   C:\WINDOWS\system32\drivers\gmer.sys
- 2008-04-17 13:20:51   74,649   ----a-w   C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-07-15 13:28:51   74,649   ----a-w   C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
- 2008-04-11 07:42:16   71,342   ----a-w   C:\WINDOWS\system32\perfc009.dat
+ 2008-07-15 11:50:38   71,478   ----a-w   C:\WINDOWS\system32\perfc009.dat
- 2008-04-11 07:42:16   88,980   ----a-w   C:\WINDOWS\system32\perfc015.dat
+ 2008-07-15 11:50:38   89,200   ----a-w   C:\WINDOWS\system32\perfc015.dat
- 2008-04-11 07:42:16   424,356   ----a-w   C:\WINDOWS\system32\perfh009.dat
+ 2008-07-15 11:50:38   424,492   ----a-w   C:\WINDOWS\system32\perfh009.dat
- 2008-04-11 07:42:16   481,920   ----a-w   C:\WINDOWS\system32\perfh015.dat
+ 2008-07-15 11:50:38   482,264   ----a-w   C:\WINDOWS\system32\perfh015.dat
+ 2008-07-15 13:42:55   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_39c.dat
+ 2008-07-15 13:42:56   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_520.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 19:21 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 19:21 1695232]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-12-01 12:46 204288]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-06-17 18:16 200704]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-06-17 18:16 208896]
"TPFNF7"="C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-12-20 04:04 60704]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 07:49 66176]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2007-03-05 15:27 172032]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 19:32 243248]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 10:34 487424]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-02-02 06:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 12:51 91688]
"LPManager"="C:\PROGRA~1\Lenovo\LENOVO~1\LPMGR.exe" [2007-07-13 03:11 124256]
"AMSG"="C:\PROGRA~1\THINKV~1\AMSG\amsg.exe" [2007-02-01 20:00 419376]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 17:24 196696]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 15:58 413696]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 15:51 126976]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [2007-01-30 20:01 2618944]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-19 13:22 949376]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 19:19 15872]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-08-15 16:07 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-08-15 16:07 162328]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-08-15 16:07 137752]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"BEWINTERNET-PLSessionManager"="C:\Program Files\OrangeBS\BEWInternet-PL\SessionManager\SessionManager.exe" [2007-07-24 20:03 102400]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"TpShocks"="TpShocks.exe" [2007-03-29 19:40 181808 C:\WINDOWS\system32\TpShocks.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 19:21 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
BTTray.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-02-27 18:43:30 561213]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-12-18 16:44:58 50688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]
Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk - C:\Program Files\SAGEM WiFi manager\WLANUTL.exe [2008-05-06 15:07:41 860160]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 17:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 04:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\TC PowerPack\\TOTALCMD.EXE"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Esko\\bg_prog_egsis_v010\\bin_ix86\\egsissrv.exe"=
"C:\\Esko\\bg_prog_egsis_v010\\bin_ix86\\EGSystemInfoTool.exe"=
"C:\\Program Files\\OrangeBS\\BEWInternet-PL\\Connectivity\\ConnectivityManager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13364:UDP"= 13364:UDP:Print Server Utility
"13107:UDP"= 13107:UDP:Print Server Utility
"69:UDP"= 69:UDP:Print Server Utility
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-03-02 18:49]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-03-02 18:47]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 10:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 12:24]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-06-17 18:16]
R2 ArtiosLM;Artios License Manager;C:\WINDOWS\system32\artioslm.exe [2000-07-10 17:25]
R2 EG Station Information Service;EG Station Information Service;C:\Esko\bg_prog_egsis_v010\bin_ix86\egsissrv.exe [2006-03-29 12:25]
R2 MSSQL$ARTIOSCADDB;MSSQL$ARTIOSCADDB;C:\Program Files\Microsoft SQL Server\MSSQL$ARTIOSCADDB\Binn\sqlservr.exe [2002-12-17 18:26]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-03-14 23:10]
R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 14:11]
R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2006-09-13 13:42]
S3 SG760_XP;SAGEM 802.11g XG760 1211 Driver;C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys [2006-01-09 11:26]
S3 SQLAgent$ARTIOSCADDB;SQLAgent$ARTIOSCADDB;C:\Program Files\Microsoft SQL Server\MSSQL$ARTIOSCADDB\Binn\sqlagent.EXE [2002-12-17 18:23]
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 20:45]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 20:45]
S3 ZDCndis5;ZDCndis5 Protocol Driver;C:\WINDOWS\system32\ZDCndis5.SYS []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-17 12:58:25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-15 13:43:13 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
"2007-12-18 15:19:47 C:\WINDOWS\Tasks\Przypomnienie o rejestracji 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-12-18 15:19:47 C:\WINDOWS\Tasks\Przypomnienie o rejestracji 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2008-07-15 13:19:01 C:\WINDOWS\Tasks\Sprawdź aktualizacje paska narzędzi Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 15:58:10
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-07-15 15:59:38
ComboFix-quarantined-files.txt  2008-07-15 13:59:34
ComboFix2.txt  2008-07-15 12:38:57
ComboFix3.txt  2008-07-15 12:06:24
ComboFix4.txt  2008-07-15 10:56:50
ComboFix5.txt  2008-07-15 13:55:00

Pre-Run: 117,144,027,136 bajtów wolnych
Post-Run: 117,137,547,264 bajtów wolnych

240   --- E O F ---   2008-07-09 08:30:52


HJT

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:49:01, on 2008-07-15
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\artioslm.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Esko\bg_prog_egsis_v010\bin_ix86\egsissrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ARTIOSCADDB\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\PROGRA~1\Lenovo\LENOVO~1\LPMGR.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\TC PowerPack\totalcmd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.pl/0SEPLPL/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~1\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BEWINTERNET-PLSessionManager] C:\Program Files\OrangeBS\BEWInternet-PL\SessionManager\SessionManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Wyślij do urządzenia &Bluetooth... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198147983734
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Artios License Manager (ArtiosLM) - Unknown owner - C:\WINDOWS\system32\artioslm.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EG Station Information Service - Esko-Graphics - C:\Esko\bg_prog_egsis_v010\bin_ix86\egsissrv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom SA - C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--
End of file - 13347 bytes


[Magik]

Chyba juz wiem, co blokuje rejestr. Zainstalowalem taki program do ochrony rodzicielskiej X-Guard II. To on prawdopodobnie blokowal rejestr, a nie moglem go wylaczyc, bo cos sie w nim popsulo. Wywalilem proces X-Guarda, potem wpis przy pomocy TC UP i juz sie nie odnawia w rejestrze.

funkcja ochrony/blokady reejstru bardzo prawdopodobne

usun C: \Qoobox

poza tym nic ciekawego

Autor postu otrzymał pochwałę

[Bart_72]

Dziekuje wszystkim za pomoc!

[Magik]

Na koniec przeczysc jeszcze systemik

by Mario

1. wykonaj optymalizację windowsa
2.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
3.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem