znamsienatym
(Darek Bartloszewski)
20 Grudzień 2007 20:18
#1
Witam,
mam problem , komputer zostal zainfekowany chyba przez DioCleaner. Prosilbym o analize logow i pomoc.
Dziekuje
ComboFix :
ComboFix 07-12-20.1 - Darek.Bartloszewski 2007-12-20 21:02:38.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.421 [GMT 1:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\3721 C:\Program Files\3721\assist\asbar.dll C:\Program Files\3721\helper.dll C:\Program Files\Accoona C:\Program Files\Accoona\ASearchAssist.dll C:\Program Files\akl C:\Program Files\akl\akl.dll C:\Program Files\akl\akl.exe C:\Program Files\akl\curlog.htm C:\Program Files\akl\keylog.txt C:\Program Files\akl\readme.txt C:\Program Files\akl\uninstall.exe C:\Program Files\akl\unsetup.dat C:\Program Files\akl\unsetup.exe C:\Program Files\amsys C:\Program Files\amsys\awmsg.dat C:\Program Files\amsys\guid.dat C:\Program Files\amsys\ijl15.dll C:\Program Files\amsys\mfc42.dll C:\Program Files\amsys\msvcrt.dll C:\Program Files\amsys\unins000.dat C:\Program Files\amsys\unis000.exe C:\Program Files\amsys\winam.dat C:\Program Files\DioCleaner C:\Program Files\DioCleaner\dc_ie_monitor.dll C:\Program Files\DioCleaner\logs\12.20.07_13_19_07.log C:\Program Files\DioCleaner\stat.bin C:\Program Files\DioCleaner\uninstall.exe C:\Program Files\DioCleaner\uninstall.log C:\Program Files\e-zshopper C:\Program Files\e-zshopper\BarLcher.dll C:\Program Files\p2pnetworks C:\Program Files\p2pnetworks\amp2pl.exe C:\WINDOWS\764.exe C:\WINDOWS\7search.dll C:\WINDOWS\absolute key logger.lnk C:\WINDOWS\aconti.exe C:\WINDOWS\aconti.ini C:\WINDOWS\aconti.log C:\WINDOWS\aconti.sdb C:\WINDOWS\acontidialer.txt C:\WINDOWS\adbar.dll C:\WINDOWS\cbinst$.exe C:\WINDOWS\daxtime.dll C:\WINDOWS\default.htm C:\WINDOWS\dp0.dll C:\WINDOWS\eventlowg.dll C:\WINDOWS\fhfmm-Uninstaller.exe C:\WINDOWS\fhfmm.exe C:\WINDOWS\flt.dll C:\WINDOWS\g32.txt C:\WINDOWS\gs32.txt C:\WINDOWS\hcwprn.exe C:\WINDOWS\hotporn.exe C:\WINDOWS\ie_32.exe C:\WINDOWS\iexplorr23.dll C:\WINDOWS\jd2002.dll C:\WINDOWS\kkcomp$.exe C:\WINDOWS\kkcomp.dll C:\WINDOWS\kkcomp.exe C:\WINDOWS\kvnab$.exe C:\WINDOWS\kvnab.dll C:\WINDOWS\kvnab.exe C:\WINDOWS\liqad$.exe C:\WINDOWS\liqad.dll C:\WINDOWS\liqad.exe C:\WINDOWS\liqui-Uninstaller.exe C:\WINDOWS\liqui.dll C:\WINDOWS\liqui.exe C:\WINDOWS\ngd.dll C:\WINDOWS\pbar.dll C:\WINDOWS\pbsysie.dll C:\WINDOWS\s32.txt C:\WINDOWS\settn.dll C:\WINDOWS\spredirect.dll C:\WINDOWS\system32\acespy C:\WINDOWS\system32\acespy__acelog.ndx C:\WINDOWS\system32\acespy\systune.exe C:\WINDOWS\system32\aspimgr.exe C:\WINDOWS\system32\din.ip C:\WINDOWS\system32\dpqaqlqx.bin C:\WINDOWS\system32\drivers\blank.gif C:\WINDOWS\system32\drivers\box_2.gif C:\WINDOWS\system32\drivers\button_buynow.gif C:\WINDOWS\system32\drivers\button_freescan.gif C:\WINDOWS\system32\drivers\cell_bg.gif C:\WINDOWS\system32\drivers\cell_footer.gif C:\WINDOWS\system32\drivers\cell_header_block.gif C:\WINDOWS\system32\drivers\cell_header_remove.gif C:\WINDOWS\system32\drivers\cell_header_scan.gif C:\WINDOWS\system32\drivers\detect.htm C:\WINDOWS\system32\drivers\download_btn.jpg C:\WINDOWS\system32\drivers\download_now_btn.gif C:\WINDOWS\system32\drivers\footer_back.jpg C:\WINDOWS\system32\drivers\header_1.gif C:\WINDOWS\system32\drivers\header_2.gif C:\WINDOWS\system32\drivers\header_3.gif C:\WINDOWS\system32\drivers\header_4.gif C:\WINDOWS\system32\drivers\header_red_bg.gif C:\WINDOWS\system32\drivers\header_red_free_scan.gif C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif C:\WINDOWS\system32\drivers\infected.gif C:\WINDOWS\system32\drivers\main_back.gif C:\WINDOWS\system32\drivers\product_2_header.gif C:\WINDOWS\system32\drivers\product_2_name_small.gif C:\WINDOWS\system32\drivers\product_features.gif C:\WINDOWS\system32\drivers\pt.htm C:\WINDOWS\system32\drivers\rating.gif C:\WINDOWS\system32\drivers\s_detect.htm C:\WINDOWS\system32\drivers\screenshot.jpg C:\WINDOWS\system32\drivers\sep_hor.gif C:\WINDOWS\system32\drivers\sep_vert.gif C:\WINDOWS\system32\drivers\shadow.jpg C:\WINDOWS\system32\drivers\shadow_bg.gif C:\WINDOWS\system32\drivers\spacer.gif C:\WINDOWS\system32\drivers\star.gif C:\WINDOWS\system32\drivers\star_gray.gif C:\WINDOWS\system32\drivers\star_gray_small.gif C:\WINDOWS\system32\drivers\star_small.gif C:\WINDOWS\system32\drivers\style.css C:\WINDOWS\system32\drivers\v.gif C:\WINDOWS\system32\drivers\warning_icon.gif C:\WINDOWS\system32\drivers\win_logo.gif C:\WINDOWS\system32\drivers\x.gif C:\WINDOWS\system32\egmulhxk.dll C:\WINDOWS\system32\ESHOPEE.exe C:\WINDOWS\system32\stfv.bin C:\WINDOWS\system32\sznf.ascii C:\WINDOWS\system32\vxddsk.exe C:\WINDOWS\system32\wml.exe C:\WINDOWS\vxddsk.exe C:\WINDOWS\wbeCheck.exe C:\WINDOWS\wbeInst$.exe C:\WINDOWS\wml.exe C:\WINDOWS\ws386.ini C:\WINDOWS\xadbrk.dll C:\WINDOWS\xadbrk.exe C:\WINDOWS\xadbrk_.exe C:\WINDOWS\xxxvideo.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_ASPIMGR -------\aspimgr ((((((((((((((((((((((((( Files Created from 2007-11-20 to 2007-12-20 ))))))))))))))))))))))))))))))) . 2007-12-20 20:48 . 2006-05-21 18:10 126,976 --a------ C:\WINDOWS\system32\zip.exe 2007-12-20 20:48 . 2006-05-21 18:10 53,248 --a------ C:\WINDOWS\system32\process.exe 2007-12-20 20:45 . 2007-12-20 20:48 2007-12-20 17:43 . 2007-12-20 20:16 6,046 --a------ C:\WINDOWS\system32\tmp.reg 2007-12-20 17:42 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-12-20 17:42 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-12-20 17:42 . 2007-12-19 22:57 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe 2007-12-20 17:42 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-12-20 17:42 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2007-12-20 13:22 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-12-20 13:22 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2007-12-20 11:55 . 2007-12-20 11:55 11 --a------ C:\WINDOWS\system32\lt.res 2007-12-20 11:55 . 2007-12-20 11:55 4 --a------ C:\WINDOWS\system32\jpewocmz.ini 2007-12-20 10:56 . 2007-12-20 11:55 4,778 --a------ C:\WINDOWS\system32\sft.res 2007-12-07 20:00 . 2007-12-07 20:00 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-20 20:09 --------- d-----w C:\Program Files\C4ebreg 2007-12-20 20:05 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-12-20 19:21 --------- d-----w C:\Program Files\neostrada tp 2007-12-20 13:22 --------- d-----w C:\Program Files\WST 2007-12-20 12:22 --------- d-----w C:\Program Files\Symantec 2007-12-20 12:21 --------- d-----w C:\Program Files\Symantec Client Security 2007-12-20 12:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2007-12-02 22:20 --------- d-----w C:\Program Files\IBM Ayudame 2007-11-22 21:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\GanymedeNet 2007-11-18 11:30 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DivX 2007-11-17 15:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus 2007-11-15 14:41 --------- d-----w C:\Program Files\Real 2007-11-15 14:41 --------- d-----w C:\Program Files\Common Files\xing shared 2007-11-15 14:41 --------- d-----w C:\Program Files\Common Files\Real 2007-11-12 10:37 --------- d-----w C:\Program Files\glassfish-v2 2007-11-12 10:34 --------- d-----w C:\Program Files\NetBeans 6.0 RC1 2007-11-12 10:17 --------- d-----w C:\Program Files\Sun 2007-11-12 10:17 --------- d-----w C:\Program Files\Java 2007-11-12 10:14 --------- d-----w C:\Program Files\Common Files\Java 2007-11-09 18:10 --------- d-----w C:\Program Files\iPlus 2007-11-09 18:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\iPlus 2007-11-02 07:03 --------- d-----w C:\Program Files\InterVideo 2007-11-01 21:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InterVideo 2007-10-31 20:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Sonic 2007-10-31 20:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Leadertech 2007-10-24 08:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\IBM 2007-10-20 19:56 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Winamp 2007-10-20 19:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus 2007-10-20 12:13 33 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg 2007-10-20 12:13 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-20 12:13 --------- d-----w C:\Program Files\SAGEM 2007-10-15 09:37 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-10-15 09:37 249,856 ------w C:\WINDOWS\Setup1.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE~\Browser Helper Objects{5DF6AFEE-2291-4041-9A74-354624861746}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 06:00] “ChelloInfo”=“C:\Programy\chelloinfo\chelloinfo.exe” [] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 08:39] “H/PC Connection Agent”=“C:\Programy\ActiveSync 4.5\Wcescomm.exe” [2006-11-13 15:57] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “IMJPMIG8.1”=“C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe” [2004-08-04 06:00] “PHIME2002ASync”=“C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe” [2004-08-04 06:00] “PHIME2002A”=“C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe” [2004-08-04 06:00] “ISAM SMT Service”=“C:\Program Files\C4ebreg\isamsmt.exe” [] “stgclean”=“c:\sdwork\w32main2.exe” [2007-10-24 08:41] “Tpam.exe”=“C:\Program Files\IBM\Personal Communications\tpam.exe” [2005-09-06 10:07] “igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [2005-12-14 01:00] “igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [2005-12-14 01:00] “igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [2005-12-14 01:00] “SoundMAXPnP”=“C:\Program Files\Analog Devices\Core\smax4pnp.exe” [2005-05-20 01:00] “ISSI EZUpdate Service”=“c:\sdwork\issimsvc.exe” [2007-10-10 11:58] “SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [2006-02-14 01:00] “SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2006-02-14 01:00] “TPHOTKEY”=“C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe” [2007-03-09 01:00] “PWRMGRTR”=“C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL” [2007-04-13 01:00] “BLOG”=“C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL” [2007-04-13 01:00] “ACWLIcon”=“C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe” [2007-05-17 12:41] “TpShocks”=“TpShocks.exe” [2007-03-29 19:40 C:\WINDOWS\system32\TpShocks.exe] “TP4EX”=“tp4ex.exe” [2005-10-17 02:11 C:\WINDOWS\system32\TP4EX.exe] “TPFNF7”=“C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe” [2007-04-10 01:00] “TPKMAPHELPER”=“C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe” [2007-01-09 17:28] “ipmcmu”=“c:\Program Files\IBM\IPM Client Migration Utility\ipmcmu.exe” [2007-10-15 10:27] “PSQLLauncher”=“C:\Program Files\Thinkvantage Fingerprint Software\launcher.exe” [] “C4EBReg”=“C:\Program Files\C4ebreg\c4ebreg.exe” [2007-09-07 19:23] “Isamtray”=“C:\Program Files\C4ebreg\isamtray.exe” [2007-09-07 19:23] “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-10-10 19:51] “db2systray.exe”="" [] “autoclk”=“autoclk.exe” [] “adiras”=“adiras.exe” [] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2004-08-23 13:49] “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\GestMaj.exe” [2004-10-14 15:55] “WinampAgent”=“C:\Programy\Winamp\wianmpa.exe” [] “iPlusManager”=“C:\Program Files\iPlus\iPlusChecker.exe” [2007-01-04 15:07] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11] “TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-11-15 15:41] “ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [2006-07-19 19:26] “vptray”=“C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe” [2006-09-27 20:33] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 06:00] C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ MagicDisc.lnk - C:\Programy\MagicDisc\MagicDisc.exe [2007-11-01 22:21:47] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2006-08-01 20:25:16] DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-10-20 13:13:37] Lotus QuickStart.lnk - C:\lotus\wordpro\ltsstart.exe [2003-04-08 01:00:00] Macro Express 3.lnk - C:\Program Files\Macro Express3\MacExp.exe [2007-10-15 10:53:20] startnode.bat [2007-10-24 09:59:06] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoDevMgrUpdate”= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify] ACNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atmgrtok] atmgrtok.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst] pcsinst.dll 2005-09-06 19:43 49152 C:\WINDOWS\system32\pcsinst.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 01:00 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 01:00 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-03-02 18:49] R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-03-02 18:47] R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 10:27] R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 12:24] R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-04-13 01:00] R2 AppnApi;AppnApi;C:\WINDOWS\system32\drivers\appnapi.sys [2005-09-06 10:07] R2 artstartsvc;IBM Mobility Client Start Utility;C:\Program Files\IBM\Mobility Client\artstartsvc.exe [2007-04-02 17:39] R2 DB2-0;DB2 - DB2-0;C:\PROGRA~1\IBM\SQLLIB\bin\db2syscs.exe [2006-05-04 19:47] R2 IBM_LLC2;IBM Personal Communications LLC2 Driver;C:\WINDOWS\system32\DRIVERS\llc2.sys [2005-09-06 10:07] R2 ISAMSvc;IBM Standard Asset Manager Service;“C:\Program Files\C4ebreg\c4ebreg.exe” [2007-09-07 19:23] R2 NsTrcNT;NsTrcNT;C:\WINDOWS\system32\drivers\nstrcnt.sys [2005-09-06 10:07] R2 pdlnctdl;Twinax CUT Adapter;C:\WINDOWS\system32\drivers\pdlnctdl.sys [2005-09-06 10:07] R2 pdlndldl;IBM Enterprise Extender (HPR/IP);C:\WINDOWS\system32\drivers\pdlndldl.sys [2005-09-06 10:07] R3 ABVPN2K;Net Firewall Miniport Interface;C:\WINDOWS\system32\DRIVERS\abvpn2k.sys [2004-06-03 18:47] R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys [2005-06-07 01:00] R3 Anydlc;Anydlc;C:\WINDOWS\system32\drivers\anydlc.sys [2005-09-06 10:07] R3 Appn;Appn;C:\WINDOWS\system32\drivers\appn.sys [2005-09-06 10:07] R3 AppnBase;AppnBase;C:\WINDOWS\system32\drivers\AppnBase.sys [2005-09-06 10:07] R3 atmeltpm;atmeltpm;C:\WINDOWS\system32\DRIVERS\atmeltpm.sys [2005-05-17 01:00] R3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 13:48] R3 KLOGNT;KLOGNT;C:\WINDOWS\system32\drivers\klognt.sys [2005-09-06 10:07] R3 pdlnacom;PDLC Adapter – COM;C:\WINDOWS\system32\drivers\pdlnacom.sys [2005-09-06 10:07] R3 pdlnafac;PDLC Adapter Factory;C:\WINDOWS\system32\drivers\pdlnafac.sys [2005-09-06 10:07] R3 pdlnatcm;Twinax Adapter Common;C:\WINDOWS\system32\drivers\pdlnatcm.sys [2005-09-06 10:07] R3 pdlnatdl;Twinax Adapter;C:\WINDOWS\system32\drivers\pdlnatdl.sys [2005-09-06 10:07] R3 pdlncbas;PDLC CxM Classes;C:\WINDOWS\system32\drivers\pdlncbas.sys [2005-09-06 10:07] R3 pdlncfwk;PDLC Connection Manager;C:\WINDOWS\system32\drivers\pdlncfwk.sys [2005-09-06 10:07] R3 pdlndint;PDLC DLC Classes;C:\WINDOWS\system32\drivers\pdlndint.sys [2005-09-06 10:07] R3 pdlndlpb;PDLC LAPB;C:\WINDOWS\system32\drivers\pdlndlpb.sys [2005-09-06 10:07] R3 pdlndoem;PDLC OEM Interface;C:\WINDOWS\system32\drivers\pdlndoem.sys [2005-09-06 10:07] R3 pdlndqll;PDLC QLLC;C:\WINDOWS\system32\drivers\pdlndqll.sys [2005-09-06 10:07] R3 pdlndsdl;PDLC SDLC;C:\WINDOWS\system32\drivers\pdlndsdl.sys [2005-09-06 10:07] R3 pdlndtdl;Twinax DLC;C:\WINDOWS\system32\drivers\pdlndtdl.sys [2005-09-06 10:07] R3 pdlnebas;PDLC Environment;C:\WINDOWS\system32\drivers\pdlnebas.sys [2005-09-06 10:07] R3 pdlnecfg;PDLC Configuration;C:\WINDOWS\system32\drivers\pdlnecfg.sys [2005-09-06 10:07] R3 pdlnemap;PDLC Mapper;C:\WINDOWS\system32\drivers\pdlnemap.sys [2005-09-06 10:07] R3 pdlnemsg;PDLC Message Driver;C:\WINDOWS\system32\drivers\pdlnemsg.sys [2005-09-06 10:07] R3 pdlnepkt;PDLC Buffer Manager;C:\WINDOWS\system32\drivers\pdlnepkt.sys [2005-09-06 10:07] R3 pdlnshay;PDLC Hayes At signalling;C:\WINDOWS\system32\drivers\pdlnshay.sys [2005-09-06 10:07] R3 pdlnslea;PDLC SDLC Leased;C:\WINDOWS\system32\drivers\pdlnslea.sys [2005-09-06 10:07] R3 pdlnsv25;PDLC V25bis signalling;C:\WINDOWS\system32\drivers\pdlnsv25.sys [2005-09-06 10:07] R3 pdlnsx25;PDLC X.25;C:\WINDOWS\system32\drivers\pdlnsx25.sys [2005-09-06 10:07] R3 tj2knd5;Terayon Cable Modem (NDIS);C:\WINDOWS\system32\DRIVERS\tj2knd5.sys [2002-10-14 13:40] R3 tj2kunic;Terayon Cable Modem (WDM);C:\WINDOWS\system32\DRIVERS\tj2kunic.sys [2002-10-14 13:40] R3 wcndis;Mobility Client Virtual Miniport;C:\WINDOWS\system32\DRIVERS\wcndis.sys [2006-01-30 09:05] R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2006-11-15 04:00] S3 GTF32BUS;GT F32 BUS;C:\WINDOWS\system32\DRIVERS\gtf32bus.sys [2007-09-18 10:21] S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-09-18 10:21] S3 GTSCSER;GT SC SER;C:\WINDOWS\system32\DRIVERS\gtscser.sys [2007-09-18 10:21] S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3788c2d0-ac90-11dc-8298-00197d16e6d6}] \Shell\AutoRun\command - EXPLORER.EXE \Shell\explore\Command - EXPLORER.EXE \Shell\open\Command - EXPLORER.EXE . Contents of the ‘Scheduled Tasks’ folder “2007-12-20 19:21:47 C:\WINDOWS\Tasks\PMTask.job” - C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-20 21:09:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\Program Files\Lenovo\HOTKEY\tphklock.dll PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180] -> C:\PROGRA~1\ThinkPad\UTILIT~1\US\PWRMGRRT.DLL -> C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRIF.DLL . Completion time: 2007-12-20 21:11:33 - machine was rebooted
HijackThis log :
Logfile of HijackThis v1.99.1 Scan saved at 21:12:13, on 2007-12-20 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Drivers\trcboot.exe C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe C:\WINDOWS\system32\acs.exe C:\Program Files\IBM\Mobility Client\artstartsvc.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\System32\FTRTSVC.exe C:\Program Files\C4ebreg\c4ebreg.exe C:\Program Files\IBM\Personal Communications\tpam.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe c:\sdwork\issimsvc.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\notes\ntmulti.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe C:\WINDOWS\system32\TpShocks.exe C:\Program Files\Lenovo\Zoom\TpScrex.exe C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe C:\Program Files\IBM\IPM Client Migration Utility\ipmcmu.exe C:\Program Files\C4ebreg\isamtray.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe C:\Program Files\IBM\SQLLIB\BIN\db2systray.exe C:\WINDOWS\System32\TPHDEXLG.exe C:\WINDOWS\system32\TpKmpSVC.exe C:\Program Files\iPlus\iPlusChecker.exe C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Programy\ActiveSync 4.5\Wcescomm.exe C:\Programy\ACTIVE~1.5\rapimgr.exe C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\Macro Express3\MacExp.exe C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe C:\Program Files\IBM\Personal Communications\anyloadr.exe C:\Programy\MagicDisc\MagicDisc.exe C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\Drivers\ldlcserv.exe C:\WINDOWS\system32\Drivers\appnnode.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://w3.ibm.com/ R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Microsoft copyright - {5DF6AFEE-2291-4041-9A74-354624861746} - judgemq.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM…\Run: [iMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32 O4 - HKLM…\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM…\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM…\Run: [iSAM SMT Service] “C:\Program Files\C4ebreg\isamsmt.exe” O4 - HKLM…\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup O4 - HKLM…\Run: [Tpam.exe] “C:\Program Files\IBM\Personal Communications\tpam.exe” O4 - HKLM…\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM…\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM…\Run: [iSSI EZUpdate Service] “c:\sdwork\issimsvc.exe” O4 - HKLM…\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe O4 - HKLM…\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor O4 - HKLM…\Run: [bLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog O4 - HKLM…\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe O4 - HKLM…\Run: [TpShocks] TpShocks.exe O4 - HKLM…\Run: [TP4EX] tp4ex.exe O4 - HKLM…\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r O4 - HKLM…\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM…\Run: [ipmcmu] c:\Program Files\IBM\IPM Client Migration Utility\ipmcmu.exe “c:\Program Files\IBM\IPM Client Migration Utility” O4 - HKLM…\Run: [PSQLLauncher] “C:\Program Files\Thinkvantage Fingerprint Software\launcher.exe” /startup O4 - HKLM…\Run: [C4EBReg] “C:\Program Files\C4ebreg\c4ebreg.exe” /q O4 - HKLM…\Run: [isamtray] “C:\Program Files\C4ebreg\isamtray.exe” O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” O4 - HKLM…\Run: [db2systray.exe DB2] C:\Program Files\IBM\SQLLIB\BIN\db2systray.exe DB2 O4 - HKLM…\Run: [autoclk] autoclk.exe O4 - HKLM…\Run: [adiras] adiras.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe O4 - HKLM…\Run: [WinampAgent] C:\Programy\Winamp\wianmpa.exe O4 - HKLM…\Run: [iPlusManager] C:\Program Files\iPlus\iPlusChecker.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKLM…\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [ChelloInfo] C:\Programy\chelloinfo\chelloinfo.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [H/PC Connection Agent] “C:\Programy\ActiveSync 4.5\Wcescomm.exe” O4 - Startup: MagicDisc.lnk = C:\Programy\MagicDisc\MagicDisc.exe O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Lotus QuickStart.lnk = ? O4 - Global Startup: Macro Express 3.lnk = C:\Program Files\Macro Express3\MacExp.exe O4 - Global Startup: startnode.bat O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device… - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programy\ACTIVE~1.5\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programy\ACTIVE~1.5\INetRepl.dll O9 - Extra ‘Tools’ menuitem: Utwórz Ulubione dla urządzenia przenośnego… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programy\ACTIVE~1.5\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll ,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm O9 - Extra ‘Tools’ menuitem: @btrez.dll ,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm O11 - Options group: [JAVA_IBM] Java (IBM) O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.com O16 - DPF: {1ACECAFE-0015-0000-0000-ABCDEFFEDCBA} (Java2 Runtime Environment 1.5.0) - http:// O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows … 2806020656 O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bluepages/scripts/lnwebassist.cab O16 - DPF: {A4B28810-11A2-4956-82D1-B2DCBA4B2AFD} (gpwsx.plugin) - http://w3.ibm.com/tools/print/plugin/gpwsx.cab O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java2 Runtime Environment 1.5.0) - http:// O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = warszawa.pl.ibm.com ,pl.ibm.com ,ibm.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = warszawa.pl.ibm.com ,pl.ibm.com ,ibm.com O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing) O20 - Winlogon Notify: atmgrtok - atmgrtok.dll (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: pcsinst - C:\WINDOWS\SYSTEM32\pcsinst.dll O20 - Winlogon Notify: tpfnf2 - C:\Program Files\Lenovo\HOTKEY\notifyf2.dll O20 - Winlogon Notify: tphotkey - C:\Program Files\Lenovo\HOTKEY\tphklock.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe O23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\system32\Drivers\appnnode.exe O23 - Service: Mobility Client (ArtourService) - IBM - C:\Program Files\IBM\Mobility Client\artsvc.exe O23 - Service: IBM Mobility Client Start Utility (artstartsvc) - Unknown owner - C:\Program Files\IBM\Mobility Client\artstartsvc.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: DB2 - DB2-0 (DB2-0) - International Business Machines Corporation - C:\PROGRA~1\IBM\SQLLIB\bin\db2syscs.exe O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\bin\db2dasrrm.exe O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2govds.exe O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe O23 - Service: DB2 License Server (DB2LICD) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2licd.exe O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe O23 - Service: DB2 Remote Command Server (DB2REMOTECMD) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2rcmd.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: ISAM SMT Service (ISAMsmt) - Unknown owner - C:\Program Files\C4ebreg\isamsmt.exe (file missing) O23 - Service: IBM Standard Asset Manager Service (ISAMSvc) - IBM Corp. - C:\Program Files\C4ebreg\c4ebreg.exe O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Corp. - c:\sdwork\issimsvc.exe O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\system32\Drivers\ldlcserv.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes\ntmulti.exe O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\system32\Drivers\trcboot.exe
Prosilbym o pomoc w rozwiazaniu problemu.
Dziekuje,
Gutek
(Gutek)
20 Grudzień 2007 21:19
#2
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo
znamsienatym
(Darek Bartloszewski)
21 Grudzień 2007 19:48
#3
Witam,
wykonalem wszystko zgodnie z instrukcjami.
Tak wiec zamieszczam ponizej logi z ComboFix’a jako pierwsze w kolejnosci te utworzone
po wykonaniu powyzszej informacji ( z plikiem CFScript.txt ) zapisane do pliku (log.txt)
Nastepnie po restarcie wykonalem ponownie start ComboFix’a i takze zamieszczam
logi z pliku ComboFix.txt ( jako drugie )
log.txt :
ComboFix 07-12-20.1 - Darek.Bartloszewski 2007-12-21 20:25:11.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.401 [GMT 1:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\system32\jpewocmz.ini C:\WINDOWS\system32\lt.res C:\WINDOWS\system32\sft.res . ((((((((((((((((((((((((( Files Created from 2007-11-21 to 2007-12-21 ))))))))))))))))))))))))))))))) . 2007-12-20 20:48 . 2006-05-21 18:10 126,976 --a------ C:\WINDOWS\system32\zip.exe 2007-12-20 20:48 . 2006-05-21 18:10 53,248 --a------ C:\WINDOWS\system32\process.exe 2007-12-20 20:45 . 2007-12-20 20:48 2007-12-20 17:43 . 2007-12-20 20:16 6,046 --a------ C:\WINDOWS\system32\tmp.reg 2007-12-20 17:42 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-12-20 17:42 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-12-20 17:42 . 2007-12-19 22:57 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe 2007-12-20 17:42 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-12-20 17:42 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2007-12-20 13:22 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-12-20 13:22 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2007-12-07 20:00 . 2007-12-07 20:00 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-21 19:16 --------- d-----w C:\Program Files\neostrada tp 2007-12-21 19:14 --------- d-----w C:\Program Files\C4ebreg 2007-12-21 14:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-12-21 13:04 --------- d-----w C:\Program Files\WST 2007-12-20 12:22 --------- d-----w C:\Program Files\Symantec 2007-12-20 12:21 --------- d-----w C:\Program Files\Symantec Client Security 2007-12-20 12:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2007-12-02 22:20 --------- d-----w C:\Program Files\IBM Ayudame 2007-11-22 21:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\GanymedeNet 2007-11-18 11:30 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DivX 2007-11-17 15:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus 2007-11-15 14:41 --------- d-----w C:\Program Files\Real 2007-11-15 14:41 --------- d-----w C:\Program Files\Common Files\xing shared 2007-11-15 14:41 --------- d-----w C:\Program Files\Common Files\Real 2007-11-12 10:37 --------- d-----w C:\Program Files\glassfish-v2 2007-11-12 10:34 --------- d-----w C:\Program Files\NetBeans 6.0 RC1 2007-11-12 10:17 --------- d-----w C:\Program Files\Sun 2007-11-12 10:17 --------- d-----w C:\Program Files\Java 2007-11-12 10:14 --------- d-----w C:\Program Files\Common Files\Java 2007-11-09 18:10 --------- d-----w C:\Program Files\iPlus 2007-11-09 18:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\iPlus 2007-11-02 07:03 --------- d-----w C:\Program Files\InterVideo 2007-11-01 21:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InterVideo 2007-10-31 20:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Sonic 2007-10-31 20:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Leadertech 2007-10-24 08:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\IBM 2007-10-20 00:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll 2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll 2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll 2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll 2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll 2007-10-20 00:54 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll 2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2007-10-18 09:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll 2007-10-18 09:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll 2007-10-18 09:03 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll 2007-10-18 09:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll 2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll 2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll 2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2007-10-15 09:37 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-10-15 09:37 249,856 ------w C:\WINDOWS\Setup1.exe 2007-09-24 12:37 252,416 ----a-w C:\WINDOWS\system32\ibmgp.dll . ((((((((((((((((((((((((((((( snapshot@2007-12-20_21.10.39.00 ))))))))))))))))))))))))))))))))))))))))) . + 2007-12-21 19:15:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_a8.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE~\Browser Helper Objects{5DF6AFEE-2291-4041-9A74-354624861746}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 06:00] “ChelloInfo”=“C:\Programy\chelloinfo\chelloinfo.exe” [] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 08:39] “H/PC Connection Agent”=“C:\Programy\ActiveSync 4.5\Wcescomm.exe” [2006-11-13 15:57] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “IMJPMIG8.1”=“C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe” [2004-08-04 06:00] “PHIME2002ASync”=“C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe” [2004-08-04 06:00] “PHIME2002A”=“C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe” [2004-08-04 06:00] “ISAM SMT Service”=“C:\Program Files\C4ebreg\isamsmt.exe” [] “stgclean”=“c:\sdwork\w32main2.exe” [2007-10-24 08:41] “Tpam.exe”=“C:\Program Files\IBM\Personal Communications\tpam.exe” [2005-09-06 10:07] “igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [2005-12-14 01:00] “igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [2005-12-14 01:00] “igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [2005-12-14 01:00] “SoundMAXPnP”=“C:\Program Files\Analog Devices\Core\smax4pnp.exe” [2005-05-20 01:00] “ISSI EZUpdate Service”=“c:\sdwork\issimsvc.exe” [2007-10-10 11:58] “SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [2006-02-14 01:00] “SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2006-02-14 01:00] “TPHOTKEY”=“C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe” [2007-03-09 01:00] “PWRMGRTR”=“C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL” [2007-04-13 01:00] “BLOG”=“C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL” [2007-04-13 01:00] “ACWLIcon”=“C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe” [2007-05-17 12:41] “TpShocks”=“TpShocks.exe” [2007-03-29 19:40 C:\WINDOWS\system32\TpShocks.exe] “TP4EX”=“tp4ex.exe” [2005-10-17 02:11 C:\WINDOWS\system32\TP4EX.exe] “TPFNF7”=“C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe” [2007-04-10 01:00] “TPKMAPHELPER”=“C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe” [2007-01-09 17:28] “ipmcmu”=“c:\Program Files\IBM\IPM Client Migration Utility\ipmcmu.exe” [2007-10-15 10:27] “PSQLLauncher”=“C:\Program Files\Thinkvantage Fingerprint Software\launcher.exe” [] “C4EBReg”=“C:\Program Files\C4ebreg\c4ebreg.exe” [2007-09-07 19:23] “Isamtray”=“C:\Program Files\C4ebreg\isamtray.exe” [2007-09-07 19:23] “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-10-10 19:51] “db2systray.exe”="" [] “autoclk”=“autoclk.exe” [] “adiras”=“adiras.exe” [] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2004-08-23 13:49] “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\GestMaj.exe” [2004-10-14 15:55] “WinampAgent”=“C:\Programy\Winamp\wianmpa.exe” [] “iPlusManager”=“C:\Program Files\iPlus\iPlusChecker.exe” [2007-01-04 15:07] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11] “TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-11-15 15:41] “ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [2006-07-19 19:26] “vptray”=“C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe” [2006-09-27 20:33] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 06:00] C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ MagicDisc.lnk - C:\Programy\MagicDisc\MagicDisc.exe [2007-11-01 22:21:47] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2006-08-01 20:25:16] DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-10-20 13:13:37] Lotus QuickStart.lnk - C:\lotus\wordpro\ltsstart.exe [2003-04-08 01:00:00] Macro Express 3.lnk - C:\Program Files\Macro Express3\MacExp.exe [2007-10-15 10:53:20] startnode.bat [2007-10-24 09:59:06] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoDevMgrUpdate”= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify] ACNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atmgrtok] atmgrtok.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst] pcsinst.dll 2005-09-06 19:43 49152 C:\WINDOWS\system32\pcsinst.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 01:00 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 01:00 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-03-02 18:49] R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-03-02 18:47] R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 10:27] R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 12:24] R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-04-13 01:00] R2 AppnApi;AppnApi;C:\WINDOWS\system32\drivers\appnapi.sys [2005-09-06 10:07] R2 artstartsvc;IBM Mobility Client Start Utility;C:\Program Files\IBM\Mobility Client\artstartsvc.exe [2007-04-02 17:39] R2 DB2-0;DB2 - DB2-0;C:\PROGRA~1\IBM\SQLLIB\bin\db2syscs.exe [2006-05-04 19:47] R2 IBM_LLC2;IBM Personal Communications LLC2 Driver;C:\WINDOWS\system32\DRIVERS\llc2.sys [2005-09-06 10:07] R2 ISAMSvc;IBM Standard Asset Manager Service;“C:\Program Files\C4ebreg\c4ebreg.exe” [2007-09-07 19:23] R2 NsTrcNT;NsTrcNT;C:\WINDOWS\system32\drivers\nstrcnt.sys [2005-09-06 10:07] R2 pdlnctdl;Twinax CUT Adapter;C:\WINDOWS\system32\drivers\pdlnctdl.sys [2005-09-06 10:07] R2 pdlndldl;IBM Enterprise Extender (HPR/IP);C:\WINDOWS\system32\drivers\pdlndldl.sys [2005-09-06 10:07] R3 ABVPN2K;Net Firewall Miniport Interface;C:\WINDOWS\system32\DRIVERS\abvpn2k.sys [2004-06-03 18:47] R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys [2005-06-07 01:00] R3 Anydlc;Anydlc;C:\WINDOWS\system32\drivers\anydlc.sys [2005-09-06 10:07] R3 Appn;Appn;C:\WINDOWS\system32\drivers\appn.sys [2005-09-06 10:07] R3 AppnBase;AppnBase;C:\WINDOWS\system32\drivers\AppnBase.sys [2005-09-06 10:07] R3 atmeltpm;atmeltpm;C:\WINDOWS\system32\DRIVERS\atmeltpm.sys [2005-05-17 01:00] R3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 13:48] R3 GTF32BUS;GT F32 BUS;C:\WINDOWS\system32\DRIVERS\gtf32bus.sys [2007-09-18 10:21] R3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-09-18 10:21] R3 GTSCSER;GT SC SER;C:\WINDOWS\system32\DRIVERS\gtscser.sys [2007-09-18 10:21] R3 KLOGNT;KLOGNT;C:\WINDOWS\system32\drivers\klognt.sys [2005-09-06 10:07] R3 pdlnacom;PDLC Adapter – COM;C:\WINDOWS\system32\drivers\pdlnacom.sys [2005-09-06 10:07] R3 pdlnafac;PDLC Adapter Factory;C:\WINDOWS\system32\drivers\pdlnafac.sys [2005-09-06 10:07] R3 pdlnatcm;Twinax Adapter Common;C:\WINDOWS\system32\drivers\pdlnatcm.sys [2005-09-06 10:07] R3 pdlnatdl;Twinax Adapter;C:\WINDOWS\system32\drivers\pdlnatdl.sys [2005-09-06 10:07] R3 pdlncbas;PDLC CxM Classes;C:\WINDOWS\system32\drivers\pdlncbas.sys [2005-09-06 10:07] R3 pdlncfwk;PDLC Connection Manager;C:\WINDOWS\system32\drivers\pdlncfwk.sys [2005-09-06 10:07] R3 pdlndint;PDLC DLC Classes;C:\WINDOWS\system32\drivers\pdlndint.sys [2005-09-06 10:07] R3 pdlndlpb;PDLC LAPB;C:\WINDOWS\system32\drivers\pdlndlpb.sys [2005-09-06 10:07] R3 pdlndoem;PDLC OEM Interface;C:\WINDOWS\system32\drivers\pdlndoem.sys [2005-09-06 10:07] R3 pdlndqll;PDLC QLLC;C:\WINDOWS\system32\drivers\pdlndqll.sys [2005-09-06 10:07] R3 pdlndsdl;PDLC SDLC;C:\WINDOWS\system32\drivers\pdlndsdl.sys [2005-09-06 10:07] R3 pdlndtdl;Twinax DLC;C:\WINDOWS\system32\drivers\pdlndtdl.sys [2005-09-06 10:07] R3 pdlnebas;PDLC Environment;C:\WINDOWS\system32\drivers\pdlnebas.sys [2005-09-06 10:07] R3 pdlnecfg;PDLC Configuration;C:\WINDOWS\system32\drivers\pdlnecfg.sys [2005-09-06 10:07] R3 pdlnemap;PDLC Mapper;C:\WINDOWS\system32\drivers\pdlnemap.sys [2005-09-06 10:07] R3 pdlnemsg;PDLC Message Driver;C:\WINDOWS\system32\drivers\pdlnemsg.sys [2005-09-06 10:07] R3 pdlnepkt;PDLC Buffer Manager;C:\WINDOWS\system32\drivers\pdlnepkt.sys [2005-09-06 10:07] R3 pdlnshay;PDLC Hayes At signalling;C:\WINDOWS\system32\drivers\pdlnshay.sys [2005-09-06 10:07] R3 pdlnslea;PDLC SDLC Leased;C:\WINDOWS\system32\drivers\pdlnslea.sys [2005-09-06 10:07] R3 pdlnsv25;PDLC V25bis signalling;C:\WINDOWS\system32\drivers\pdlnsv25.sys [2005-09-06 10:07] R3 pdlnsx25;PDLC X.25;C:\WINDOWS\system32\drivers\pdlnsx25.sys [2005-09-06 10:07] R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2006-11-15 04:00] S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10] S3 tj2knd5;Terayon Cable Modem (NDIS);C:\WINDOWS\system32\DRIVERS\tj2knd5.sys [2002-10-14 13:40] S3 tj2kunic;Terayon Cable Modem (WDM);C:\WINDOWS\system32\DRIVERS\tj2kunic.sys [2002-10-14 13:40] S3 wcndis;Mobility Client Virtual Miniport;C:\WINDOWS\system32\DRIVERS\wcndis.sys [2006-01-30 09:05] . Contents of the ‘Scheduled Tasks’ folder “2007-12-21 19:15:58 C:\WINDOWS\Tasks\PMTask.job” - C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-21 20:27:57 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\Program Files\Lenovo\HOTKEY\tphklock.dll . Completion time: 2007-12-21 20:28:35 C:\ComboFix2.txt … 2007-12-21 14:14 C:\ComboFix3.txt … 2007-12-20 21:11
ComboFix.txt :
ComboFix 07-12-20.1 - Darek.Bartloszewski 2007-12-21 20:38:02.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.466 [GMT 1:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-11-21 to 2007-12-21 ))))))))))))))))))))))))))))))) . 2007-12-20 20:48 . 2006-05-21 18:10 126,976 --a------ C:\WINDOWS\system32\zip.exe 2007-12-20 20:48 . 2006-05-21 18:10 53,248 --a------ C:\WINDOWS\system32\process.exe 2007-12-20 20:45 . 2007-12-20 20:48 2007-12-20 17:43 . 2007-12-20 20:16 6,046 --a------ C:\WINDOWS\system32\tmp.reg 2007-12-20 17:42 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-12-20 17:42 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-12-20 17:42 . 2007-12-19 22:57 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe 2007-12-20 17:42 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-12-20 17:42 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2007-12-20 13:22 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-12-20 13:22 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2007-12-07 20:00 . 2007-12-07 20:00 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-21 19:36 --------- d-----w C:\Program Files\neostrada tp 2007-12-21 19:35 --------- d-----w C:\Program Files\C4ebreg 2007-12-21 14:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-12-21 13:04 --------- d-----w C:\Program Files\WST 2007-12-20 12:22 --------- d-----w C:\Program Files\Symantec 2007-12-20 12:21 --------- d-----w C:\Program Files\Symantec Client Security 2007-12-20 12:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2007-12-02 22:20 --------- d-----w C:\Program Files\IBM Ayudame 2007-11-22 21:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\GanymedeNet 2007-11-18 11:30 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DivX 2007-11-17 15:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus 2007-11-15 14:41 --------- d-----w C:\Program Files\Real 2007-11-15 14:41 --------- d-----w C:\Program Files\Common Files\xing shared 2007-11-15 14:41 --------- d-----w C:\Program Files\Common Files\Real 2007-11-12 10:37 --------- d-----w C:\Program Files\glassfish-v2 2007-11-12 10:34 --------- d-----w C:\Program Files\NetBeans 6.0 RC1 2007-11-12 10:17 --------- d-----w C:\Program Files\Sun 2007-11-12 10:17 --------- d-----w C:\Program Files\Java 2007-11-12 10:14 --------- d-----w C:\Program Files\Common Files\Java 2007-11-09 18:10 --------- d-----w C:\Program Files\iPlus 2007-11-09 18:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\iPlus 2007-11-02 07:03 --------- d-----w C:\Program Files\InterVideo 2007-11-01 21:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InterVideo 2007-10-31 20:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Sonic 2007-10-31 20:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Leadertech 2007-10-24 08:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\IBM 2007-10-20 00:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll 2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll 2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll 2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll 2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll 2007-10-20 00:54 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll 2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2007-10-18 09:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll 2007-10-18 09:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll 2007-10-18 09:03 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll 2007-10-18 09:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll 2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll 2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll 2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2007-10-15 09:37 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-10-15 09:37 249,856 ------w C:\WINDOWS\Setup1.exe 2007-09-24 12:37 252,416 ----a-w C:\WINDOWS\system32\ibmgp.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE~\Browser Helper Objects{5DF6AFEE-2291-4041-9A74-354624861746}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 06:00] “ChelloInfo”=“C:\Programy\chelloinfo\chelloinfo.exe” [] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 08:39] “H/PC Connection Agent”=“C:\Programy\ActiveSync 4.5\Wcescomm.exe” [2006-11-13 15:57] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “IMJPMIG8.1”=“C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe” [2004-08-04 06:00] “PHIME2002ASync”=“C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe” [2004-08-04 06:00] “PHIME2002A”=“C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe” [2004-08-04 06:00] “ISAM SMT Service”=“C:\Program Files\C4ebreg\isamsmt.exe” [] “stgclean”=“c:\sdwork\w32main2.exe” [2007-10-24 08:41] “Tpam.exe”=“C:\Program Files\IBM\Personal Communications\tpam.exe” [2005-09-06 10:07] “igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [2005-12-14 01:00] “igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [2005-12-14 01:00] “igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [2005-12-14 01:00] “SoundMAXPnP”=“C:\Program Files\Analog Devices\Core\smax4pnp.exe” [2005-05-20 01:00] “ISSI EZUpdate Service”=“c:\sdwork\issimsvc.exe” [2007-10-10 11:58] “SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [2006-02-14 01:00] “SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2006-02-14 01:00] “TPHOTKEY”=“C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe” [2007-03-09 01:00] “PWRMGRTR”=“C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL” [2007-04-13 01:00] “BLOG”=“C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL” [2007-04-13 01:00] “ACWLIcon”=“C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe” [2007-05-17 12:41] “TpShocks”=“TpShocks.exe” [2007-03-29 19:40 C:\WINDOWS\system32\TpShocks.exe] “TP4EX”=“tp4ex.exe” [2005-10-17 02:11 C:\WINDOWS\system32\TP4EX.exe] “TPFNF7”=“C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe” [2007-04-10 01:00] “TPKMAPHELPER”=“C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe” [2007-01-09 17:28] “ipmcmu”=“c:\Program Files\IBM\IPM Client Migration Utility\ipmcmu.exe” [2007-10-15 10:27] “PSQLLauncher”=“C:\Program Files\Thinkvantage Fingerprint Software\launcher.exe” [] “C4EBReg”=“C:\Program Files\C4ebreg\c4ebreg.exe” [2007-09-07 19:23] “Isamtray”=“C:\Program Files\C4ebreg\isamtray.exe” [2007-09-07 19:23] “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-10-10 19:51] “db2systray.exe”="" [] “autoclk”=“autoclk.exe” [] “adiras”=“adiras.exe” [] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2004-08-23 13:49] “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\GestMaj.exe” [2004-10-14 15:55] “WinampAgent”=“C:\Programy\Winamp\wianmpa.exe” [] “iPlusManager”=“C:\Program Files\iPlus\iPlusChecker.exe” [2007-01-04 15:07] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11] “TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-11-15 15:41] “ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [2006-07-19 19:26] “vptray”=“C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe” [2006-09-27 20:33] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 06:00] C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ MagicDisc.lnk - C:\Programy\MagicDisc\MagicDisc.exe [2007-11-01 22:21:47] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2006-08-01 20:25:16] DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-10-20 13:13:37] Lotus QuickStart.lnk - C:\lotus\wordpro\ltsstart.exe [2003-04-08 01:00:00] Macro Express 3.lnk - C:\Program Files\Macro Express3\MacExp.exe [2007-10-15 10:53:20] startnode.bat [2007-10-24 09:59:06] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoDevMgrUpdate”= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify] ACNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atmgrtok] atmgrtok.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst] pcsinst.dll 2005-09-06 19:43 49152 C:\WINDOWS\system32\pcsinst.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 01:00 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 01:00 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-03-02 18:49] R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-03-02 18:47] R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 10:27] R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 12:24] R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-04-13 01:00] R2 AppnApi;AppnApi;C:\WINDOWS\system32\drivers\appnapi.sys [2005-09-06 10:07] R2 artstartsvc;IBM Mobility Client Start Utility;C:\Program Files\IBM\Mobility Client\artstartsvc.exe [2007-04-02 17:39] R2 DB2-0;DB2 - DB2-0;C:\PROGRA~1\IBM\SQLLIB\bin\db2syscs.exe [2006-05-04 19:47] R2 IBM_LLC2;IBM Personal Communications LLC2 Driver;C:\WINDOWS\system32\DRIVERS\llc2.sys [2005-09-06 10:07] R2 ISAMSvc;IBM Standard Asset Manager Service;“C:\Program Files\C4ebreg\c4ebreg.exe” [2007-09-07 19:23] R2 NsTrcNT;NsTrcNT;C:\WINDOWS\system32\drivers\nstrcnt.sys [2005-09-06 10:07] R2 pdlnctdl;Twinax CUT Adapter;C:\WINDOWS\system32\drivers\pdlnctdl.sys [2005-09-06 10:07] R2 pdlndldl;IBM Enterprise Extender (HPR/IP);C:\WINDOWS\system32\drivers\pdlndldl.sys [2005-09-06 10:07] R3 ABVPN2K;Net Firewall Miniport Interface;C:\WINDOWS\system32\DRIVERS\abvpn2k.sys [2004-06-03 18:47] R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys [2005-06-07 01:00] R3 Anydlc;Anydlc;C:\WINDOWS\system32\drivers\anydlc.sys [2005-09-06 10:07] R3 Appn;Appn;C:\WINDOWS\system32\drivers\appn.sys [2005-09-06 10:07] R3 AppnBase;AppnBase;C:\WINDOWS\system32\drivers\AppnBase.sys [2005-09-06 10:07] R3 atmeltpm;atmeltpm;C:\WINDOWS\system32\DRIVERS\atmeltpm.sys [2005-05-17 01:00] R3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 13:48] R3 GTF32BUS;GT F32 BUS;C:\WINDOWS\system32\DRIVERS\gtf32bus.sys [2007-09-18 10:21] R3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-09-18 10:21] R3 GTSCSER;GT SC SER;C:\WINDOWS\system32\DRIVERS\gtscser.sys [2007-09-18 10:21] R3 KLOGNT;KLOGNT;C:\WINDOWS\system32\drivers\klognt.sys [2005-09-06 10:07] R3 pdlnacom;PDLC Adapter – COM;C:\WINDOWS\system32\drivers\pdlnacom.sys [2005-09-06 10:07] R3 pdlnafac;PDLC Adapter Factory;C:\WINDOWS\system32\drivers\pdlnafac.sys [2005-09-06 10:07] R3 pdlnatcm;Twinax Adapter Common;C:\WINDOWS\system32\drivers\pdlnatcm.sys [2005-09-06 10:07] R3 pdlnatdl;Twinax Adapter;C:\WINDOWS\system32\drivers\pdlnatdl.sys [2005-09-06 10:07] R3 pdlncbas;PDLC CxM Classes;C:\WINDOWS\system32\drivers\pdlncbas.sys [2005-09-06 10:07] R3 pdlncfwk;PDLC Connection Manager;C:\WINDOWS\system32\drivers\pdlncfwk.sys [2005-09-06 10:07] R3 pdlndint;PDLC DLC Classes;C:\WINDOWS\system32\drivers\pdlndint.sys [2005-09-06 10:07] R3 pdlndlpb;PDLC LAPB;C:\WINDOWS\system32\drivers\pdlndlpb.sys [2005-09-06 10:07] R3 pdlndoem;PDLC OEM Interface;C:\WINDOWS\system32\drivers\pdlndoem.sys [2005-09-06 10:07] R3 pdlndqll;PDLC QLLC;C:\WINDOWS\system32\drivers\pdlndqll.sys [2005-09-06 10:07] R3 pdlndsdl;PDLC SDLC;C:\WINDOWS\system32\drivers\pdlndsdl.sys [2005-09-06 10:07] R3 pdlndtdl;Twinax DLC;C:\WINDOWS\system32\drivers\pdlndtdl.sys [2005-09-06 10:07] R3 pdlnebas;PDLC Environment;C:\WINDOWS\system32\drivers\pdlnebas.sys [2005-09-06 10:07] R3 pdlnecfg;PDLC Configuration;C:\WINDOWS\system32\drivers\pdlnecfg.sys [2005-09-06 10:07] R3 pdlnemap;PDLC Mapper;C:\WINDOWS\system32\drivers\pdlnemap.sys [2005-09-06 10:07] R3 pdlnemsg;PDLC Message Driver;C:\WINDOWS\system32\drivers\pdlnemsg.sys [2005-09-06 10:07] R3 pdlnepkt;PDLC Buffer Manager;C:\WINDOWS\system32\drivers\pdlnepkt.sys [2005-09-06 10:07] R3 pdlnshay;PDLC Hayes At signalling;C:\WINDOWS\system32\drivers\pdlnshay.sys [2005-09-06 10:07] R3 pdlnslea;PDLC SDLC Leased;C:\WINDOWS\system32\drivers\pdlnslea.sys [2005-09-06 10:07] R3 pdlnsv25;PDLC V25bis signalling;C:\WINDOWS\system32\drivers\pdlnsv25.sys [2005-09-06 10:07] R3 pdlnsx25;PDLC X.25;C:\WINDOWS\system32\drivers\pdlnsx25.sys [2005-09-06 10:07] R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2006-11-15 04:00] S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10] S3 tj2knd5;Terayon Cable Modem (NDIS);C:\WINDOWS\system32\DRIVERS\tj2knd5.sys [2002-10-14 13:40] S3 tj2kunic;Terayon Cable Modem (WDM);C:\WINDOWS\system32\DRIVERS\tj2kunic.sys [2002-10-14 13:40] S3 wcndis;Mobility Client Virtual Miniport;C:\WINDOWS\system32\DRIVERS\wcndis.sys [2006-01-30 09:05] . Contents of the ‘Scheduled Tasks’ folder “2007-12-21 19:36:14 C:\WINDOWS\Tasks\PMTask.job” - C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-21 20:40:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\Program Files\Lenovo\HOTKEY\tphklock.dll . Completion time: 2007-12-21 20:40:54
Prosba o przeanalizowanie i podpowiedz co dalej.
Dziekuje serdecznie.
Gutek
(Gutek)
22 Grudzień 2007 00:16
#4
znamsienatym
(Darek Bartloszewski)
22 Grudzień 2007 17:07
#5
Witam,
dziekuje za pomoc. Optymalizacje wykonalem wedlug wlasnego uznania.
Czy cos jeszcze powinienem zrobic ?!
Czy moj system jest juz “czysty” od tych spyware’ow i tym
podobnych rzeczy ?!