Prosze O Sprawdzenie Loga

[Niemiec]

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:06:07, on 2008-07-29
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe
C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe
C:\Program Files\ArcaBit\ArcaUpdate\update.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe
C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe
C:\Program Files\ArcaBit\Common\TaskScheduler.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Marek\Pulpit\trojan\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default....;l=pl&s=bsd
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=pl&s=bsd
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.euro.dell.com/content/default....;l=pl&s=bsd
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9FFF96B4-AEB0-4E2E-9958-52B3943C1F14} - C:\WINDOWS\system32\fcccdBRH.dll (file missing)
O2 - BHO: (no name) - {D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2} - C:\WINDOWS\system32\rqRLdcYR.dll
O2 - BHO: (no name) - {E3D40E31-91C2-42BF-A66D-2A1102A1CDC0} - C:\WINDOWS\system32\ddcYSiGy.dll (file missing)
O2 - BHO: (no name) - {EC63F8C1-B386-46F9-A207-3FF32F08DA7B} - C:\WINDOWS\system32\tuvSifGX.dll (file missing)
O2 - BHO: (no name) - {F0CED784-DE8B-4774-ABDD-AB3854A79229} - (no file)
O2 - BHO: (no name) - {F298B74F-A4F1-4102-B99A-B9FE5D7E801D} - C:\WINDOWS\system32\cbXQjhii.dll
O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ABRegmon] C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe
O4 - HKLM\..\Run: [ArcaCheck] C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe /startup
O4 - HKLM\..\Run: [AvMenu] C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Marek\lsass.exe
O4 - HKLM\..\Run: [bMc779bca0] Rundll32.exe "C:\WINDOWS\system32\lbjunmkh.dll",s
O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191234700156
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: rqRLdcYR - C:\WINDOWS\SYSTEM32\rqRLdcYR.dll
O20 - Winlogon Notify: TS_LogonListener - C:\WINDOWS\SYSTEM32\TS_LogonListener.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcaBit FileMonitor (ABFileMon) - ArcaBit - C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe
O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit - C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe
O23 - Service: ArcaBit.Core.Configurator - ArcaBit - C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe
O23 - Service: ArcaBit.Core.LoggingService - ArcaBit - C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe
O23 - Service: ArcaBit.TaskScheduler - ArcaBit sp. z o.o. - C:\Program Files\ArcaBit\Common\TaskScheduler.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ArcaBit Update Service (AVUpdate) - ArcaBit - C:\Program Files\ArcaBit\ArcaUpdate\update.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7662 bytes

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - silentruners

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"Gadu-Gadu" = ""D:\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SigmatelSysTrayApp" = "stsystra.exe" ["SigmaTel, Inc."]
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"" [null data]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"Broadcom Wireless Manager UI" = "C:\WINDOWS\system32\WLTRAY.exe" ["Dell Inc."]
"ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" ["Macrovision Corporation"]
"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["Macrovision Corporation"]
"ABRegmon" = "C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe" ["ArcaBit"]
"ArcaCheck" = "C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe /startup" ["ArcaBit"]
"AvMenu" = "C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe" ["ArcaBit"]
"LSA Shellu" = "C:\Documents and Settings\Marek\lsass.exe" [file not found]
"BMc779bca0" = "Rundll32.exe "C:\WINDOWS\system32\lbjunmkh.dll",s" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9FFF96B4-AEB0-4E2E-9958-52B3943C1F14}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\fcccdBRH.dll" [file not found]
{D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\rqRLdcYR.dll" [null data]
{E3D40E31-91C2-42BF-A66D-2A1102A1CDC0}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\ddcYSiGy.dll" [file not found]
{EC63F8C1-B386-46F9-A207-3FF32F08DA7B}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\tuvSifGX.dll" [file not found]
{F298B74F-A4F1-4102-B99A-B9FE5D7E801D}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\cbXQjhii.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Drag-to-Disc\Shellex.dll" ["Roxio"]
"{D7824897-C8DC-49b4-B790-30F7ED16A5FD}" = "ArcaVir Shell Extension"
-> {HKLM...CLSID} = "ArcaVir Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\ArcaBit\arcavir\avshell.dll" [null data]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2}" = "*_" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\rqRLdcYR.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\cbXQjhii"

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk /r \??\C:"|"autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> rqRLdcYR\DLLName = "rqRLdcYR.dll" [null data]
<<!>> TS_LogonListener\DLLName = "TS_LogonListener.dll" ["ArcaBit sp. z o.o."]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
ArcaVirShell\(Default) = "{D7824897-C8DC-49b4-B790-30F7ED16A5FD}"
-> {HKLM...CLSID} = "ArcaVir Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\ArcaBit\arcavir\avshell.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
ArcaVirShell\(Default) = "{D7824897-C8DC-49b4-B790-30F7ED16A5FD}"
-> {HKLM...CLSID} = "ArcaVir Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\ArcaBit\arcavir\avshell.dll" [null data]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\dell.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

MediaCapture9Music\
"Provider" = "Media Import"
"InvokeProgID" = "RoxioMediaCapture9"
"InvokeVerb" = "Audio"
HKLM\SOFTWARE\Classes\RoxioMediaCapture9\shell\Audio\command\(Default) = "C:\Program Files\Roxio\Media Import 9\MediaCapture9.exe -audio %L" ["Sonic Solutions"]

MediaCapture9Photos\
"Provider" = "Media Import"
"InvokeProgID" = "RoxioMediaCapture9"
"InvokeVerb" = "Photo"
HKLM\SOFTWARE\Classes\RoxioMediaCapture9\shell\Photo\command\(Default) = "C:\Program Files\Roxio\Media Import 9\MediaCapture9.exe -photo %L" ["Sonic Solutions"]

MediaCapture9VideoCamera\
"Provider" = "Media Import"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Roxio\Media Import 9\MediaCapture9.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

MediaCapture9Videos\
"Provider" = "Media Import"
"InvokeProgID" = "RoxioMediaCapture9"
"InvokeVerb" = "Video"
HKLM\SOFTWARE\Classes\RoxioMediaCapture9\shell\Video\command\(Default) = "C:\Program Files\Roxio\Media Import 9\MediaCapture9.exe -video %L" ["Sonic Solutions"]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

PDVDPlayDVDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" MOVIE "%L"" ["CyberLink Corp."]

RoxioSCAudioCDTask33\
"Provider" = "Roxio Creator Audio"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "AudioCDTask"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\AudioCDTask\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {8E376824-EA6C-4CB7-AA05-A30CB84D359B}" [null data]

RoxioSCCopyCD33\
"Provider" = "Roxio Creator Copy"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {6123D5C0-0B6A-4B67-A692-C0863AB98CDA}" [null data]

RoxioSCCopyDisc33\
"Provider" = "Roxio Creator Copy"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {6123D5C0-0B6A-4B67-A692-C0863AB98CDA}" [null data]

RoxioSCDataProject33\
"Provider" = "Roxio Creator Data"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "DataGuide"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\DataGuide\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch Data" [null data]

RoxioSCDataTask33\
"Provider" = "Roxio Creator Data"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "DataTask"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\DataTask\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {D085B12D-4D9B-49C2-8323-5053831CBD54}" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Poszukaj"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "Wyślij do programu OneNote"
"MenuText" = "Wyślij &do programu OneNote"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ArcaBit FileMonitor, ABFileMon, ""C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe"" ["ArcaBit"]
ArcaBit NetMonitor, ABNetMon, "C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe" ["ArcaBit"]
ArcaBit Update Service, AVUpdate, "C:\Program Files\ArcaBit\ArcaUpdate\update.exe" ["ArcaBit"]
ArcaBit.Core.Configurator, ArcaBit.Core.Configurator, ""C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe"" ["ArcaBit"]
ArcaBit.Core.LoggingService, ArcaBit.Core.LoggingService, ""C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe"" ["ArcaBit"]
ArcaBit.TaskScheduler, ArcaBit.TaskScheduler, ""C:\Program Files\ArcaBit\Common\TaskScheduler.exe"" ["ArcaBit sp. z o.o."]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Dell Wireless WLAN Tray Service, wltrysvc, "C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe" [null data]
Lavasoft Ad-Aware Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe"" ["Lavasoft"]
Roxio Hard Drive Watcher 9, RoxWatch9, ""C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe"" ["Sonic Solutions"]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]


---------- (launch time: 2008-07-29 09:13:08)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 5 seconds.
---------- (total run time: 33 seconds)

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - combofix

ComboFix 08-07-28.4 - Marek 2008-07-29 9:15:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.850 [GMT 2:00]
Running from: C:\Documents and Settings\Marek\Pulpit\trojan\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Antivirus 2009
C:\Program Files\Antivirus 2009\av2009.exe
C:\WINDOWS\BMc779bca0.txt
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\baitsgkr.ini
C:\WINDOWS\system32\bgeapqxj.ini
C:\WINDOWS\system32\dkqeelpf.dll
C:\WINDOWS\system32\eoxifpak.ini
C:\WINDOWS\system32\fkxkbhuq.dll
C:\WINDOWS\system32\fpleeqkd.ini
C:\WINDOWS\system32\giwudwgp.ini
C:\WINDOWS\system32\HRBdcccf.ini
C:\WINDOWS\system32\HRBdcccf.ini2
C:\WINDOWS\system32\iihjQXbc.ini
C:\WINDOWS\system32\iihjQXbc.ini2
C:\WINDOWS\system32\khcoioje.ini
C:\WINDOWS\system32\lbjunmkh.dll
C:\WINDOWS\system32\mmobleeg.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pgwduwig.dll
C:\WINDOWS\system32\phawlibh.ini
C:\WINDOWS\system32\rqRLdcYR.dll
C:\WINDOWS\system32\tmaxntyp.ini
C:\WINDOWS\system32\XGfiSvut.ini
C:\WINDOWS\system32\XGfiSvut.ini2
C:\WINDOWS\system32\yGiSYcdd.ini
C:\WINDOWS\system32\yGiSYcdd.ini2

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-29 )))))))))))))))))))))))))))))))
.

2008-07-28 17:21 . 2008-07-28 17:21 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-28 17:21 . 2008-07-28 17:23 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-07-28 16:17 . 2008-07-28 18:57 <DIR> d-------- C:\Program Files\SkanerOnline
2008-07-22 20:59 . 2008-07-28 16:05 44,001 ---hs---- C:\WINDOWS\system32\gscatkvv.ini
2008-07-15 00:04 . 2008-07-15 00:04 282,112 --a------ C:\WINDOWS\system32\cbXQjhii.dll
2008-07-04 13:17 . 2008-07-14 23:58 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-04 13:17 . 2008-07-14 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-07-04 12:31 . 2008-07-04 13:03 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-06-29 10:31 . 2008-07-22 20:57 110,415 --a------ C:\WINDOWS\BMc779bca0.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 07:22 --------- d-----w C:\Documents and Settings\Marek\Dane aplikacji\Skype
2008-07-28 15:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F298B74F-A4F1-4102-B99A-B9FE5D7E801D}]
2008-07-15 00:04 282112 --a------ C:\WINDOWS\system32\cbXQjhii.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]
"Gadu-Gadu"="D:\Gadu-Gadu\gg.exe" [2008-03-20 12:04 2127296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 12:47 761947]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 05:48 1392640]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 12:35 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]
"ABRegmon"="C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe" [2007-07-12 10:40 303104]
"ArcaCheck"="C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe" [2007-07-27 13:57 836912]
"AvMenu"="C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe" [2008-01-29 16:12 481800]
"SigmatelSysTrayApp"="stsystra.exe" [2006-09-22 12:06 282624 C:\WINDOWS\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TS_LogonListener]
2007-01-12 16:41 101376 C:\WINDOWS\system32\TS_LogonListener.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FFDS"= ffdshow.ax
"msacm.avis"= ff_acm.acm
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 21:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-08-17 10:00 1116920 C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-11-05 12:22 221184 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 14:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"D:\\Medal\\mohpa.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 ABTDI;ABTDI;C:\Program Files\ArcaBit\ArcaVir\ABTDI.sys [2007-05-08 14:45]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 11:35]
R2 ABFileMon;ArcaBit FileMonitor;C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe [2007-10-09 12:10]
R2 ArcaBit.TaskScheduler;ArcaBit.TaskScheduler;C:\Program Files\ArcaBit\Common\TaskScheduler.exe [2007-01-12 16:42]
R2 AVUpdate;ArcaBit Update Service;C:\Program Files\ArcaBit\ArcaUpdate\update.exe [2007-02-26 16:04]
R3 ABFLT;ArcaBit File Monitor Driver;C:\PROGRA~1\ArcaBit\ArcaVir\ABFLT.sys [2007-09-12 14:37]
R3 ArcaBit.Core.Configurator;ArcaBit.Core.Configurator;C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe [2007-01-11 16:01]
R3 ArcaBit.Core.LoggingService;ArcaBit.Core.LoggingService;C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe [2007-01-11 16:03]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4676fcc6-8b0c-11dc-b506-0019b97fd9ca}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{555e9520-9069-11dc-b508-0019b97fd9ca}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83ce998d-0b11-11dd-b5de-0019b97fd9ca}]
\Shell\Auto\command - G:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2d9bf2e-7815-11dc-b4ec-0019b97fd9ca}]
\Shell\AutoRun\command - G:\EXPLORER.EXE
\Shell\explore\Command - G:\EXPLORER.EXE
\Shell\open\Command - G:\EXPLORER.EXE
.
- - - - ORPHANS REMOVED - - - -

BHO-{9FFF96B4-AEB0-4E2E-9958-52B3943C1F14} - C:\WINDOWS\system32\fcccdBRH.dll
BHO-{E3D40E31-91C2-42BF-A66D-2A1102A1CDC0} - C:\WINDOWS\system32\ddcYSiGy.dll
BHO-{EC63F8C1-B386-46F9-A207-3FF32F08DA7B} - C:\WINDOWS\system32\tuvSifGX.dll
HKLM-Run-BMc779bca0 - C:\WINDOWS\system32\lbjunmkh.dll
MSConfigStartUp-BMc779bca0 - C:\WINDOWS\system32\lbjunmkh.dll
MSConfigStartUp-c44a8f3c - C:\WINDOWS\system32\dkqeelpf.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKLM-Main,Start Page = hxxp://www1.euro.dell.com/content/default.aspx?c=pl&l=pl&s=bsd
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www1.euro.dell.com/content/default.aspx?c=pl&l=pl&s=bsd
O8 -: E&ksportuj do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O16 -: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab
C:\WINDOWS\Downloaded Program Files\SkanerOnline.inf
C:\WINDOWS\system32\SkanerOnlineUninstall.exe
C:\WINDOWS\system32\SkanerOnline.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 09:21:15
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-29 9:24:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-29 07:24:20

Pre-Run: 13,378,834,432 bajtów wolnych
Post-Run: 13,289,738,240 bajt˘w wolnych

173

[Kolobos]

Wywal ArcaVir i zainstaluj Avire.

Podlacz zainfekowane nosniki (G:) i usyj Flash Disinfector.

 

Utworz CFScript.txt i wklej do niego:

 

File::

C:\WINDOWS\system32\gscatkvv.ini

C:\WINDOWS\system32\cbXQjhii.dll

C:\WINDOWS\BMc779bca0.xml

 

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F298B74F-A4F1-4102-B99A-B9FE5D7E801D}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4676fcc6-8b0c-11dc-b506-0019b97fd9ca}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{555e9520-9069-11dc-b508-0019b97fd9ca}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83ce998d-0b11-11dd-b5de-0019b97fd9ca}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2d9bf2e-7815-11dc-b4ec-0019b97fd9ca}]

 

Zapisz i przeciagnij na ikone combofix.

[Niemiec]

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - CF2

ComboFix 08-07-28.4 - Marek 2008-07-29 11:09:39.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.869 [GMT 2:00]
Running from: C:\Documents and Settings\Marek\Pulpit\trojan\ComboFix.exe
Command switches used :: G:\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMc779bca0.xml

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-29 )))))))))))))))))))))))))))))))
.

2008-07-28 17:21 . 2008-07-28 17:21 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-28 17:21 . 2008-07-28 17:23 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-07-28 16:17 . 2008-07-28 18:57 <DIR> d-------- C:\Program Files\SkanerOnline
2008-07-22 20:59 . 2008-07-28 16:05 44,001 ---hs---- C:\WINDOWS\system32\gscatkvv.ini
2008-07-04 13:17 . 2008-07-14 23:58 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-04 13:17 . 2008-07-14 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-07-04 12:31 . 2008-07-04 13:03 <DIR> d-------- C:\Program Files\EsetOnlineScanner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 07:22 --------- d-----w C:\Documents and Settings\Marek\Dane aplikacji\Skype
2008-07-28 15:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]
"Gadu-Gadu"="D:\Gadu-Gadu\gg.exe" [2008-03-20 12:04 2127296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 12:47 761947]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 05:48 1392640]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 12:35 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]
"ABRegmon"="C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe" [2007-07-12 10:40 303104]
"ArcaCheck"="C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe" [2007-07-27 13:57 836912]
"AvMenu"="C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe" [2008-01-29 16:12 481800]
"SigmatelSysTrayApp"="stsystra.exe" [2006-09-22 12:06 282624 C:\WINDOWS\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TS_LogonListener]
2007-01-12 16:41 101376 C:\WINDOWS\system32\TS_LogonListener.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FFDS"= ffdshow.ax
"msacm.avis"= ff_acm.acm
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 21:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-08-17 10:00 1116920 C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-11-05 12:22 221184 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 14:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"D:\\Medal\\mohpa.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 ABTDI;ABTDI;C:\Program Files\ArcaBit\ArcaVir\ABTDI.sys [2007-05-08 14:45]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 11:35]
R2 ABFileMon;ArcaBit FileMonitor;C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe [2007-10-09 12:10]
R2 ArcaBit.TaskScheduler;ArcaBit.TaskScheduler;C:\Program Files\ArcaBit\Common\TaskScheduler.exe [2007-01-12 16:42]
R2 AVUpdate;ArcaBit Update Service;C:\Program Files\ArcaBit\ArcaUpdate\update.exe [2007-02-26 16:04]
R3 ABFLT;ArcaBit File Monitor Driver;C:\PROGRA~1\ArcaBit\ArcaVir\ABFLT.sys [2007-09-12 14:37]
R3 ArcaBit.Core.Configurator;ArcaBit.Core.Configurator;C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe [2007-01-11 16:01]
R3 ArcaBit.Core.LoggingService;ArcaBit.Core.LoggingService;C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe [2007-01-11 16:03]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4676fcc6-8b0c-11dc-b506-0019b97fd9ca}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{555e9520-9069-11dc-b508-0019b97fd9ca}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83ce998d-0b11-11dd-b5de-0019b97fd9ca}]
\Shell\Auto\command - G:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2d9bf2e-7815-11dc-b4ec-0019b97fd9ca}]
\Shell\AutoRun\command - G:\EXPLORER.EXE
\Shell\explore\Command - G:\EXPLORER.EXE
\Shell\open\Command - G:\EXPLORER.EXE
.
- - - - ORPHANS REMOVED - - - -

BHO-{F298B74F-A4F1-4102-B99A-B9FE5D7E801D} - C:\WINDOWS\system32\cbXQjhii.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 11:10:58
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-29 11:11:33
ComboFix-quarantined-files.txt 2008-07-29 09:11:25

Pre-Run: 13,275,992,064 bajtów wolnych
Post-Run: 13,266,083,840 bajtów wolnych

112

ta arcavir jest az taka zla?

[Kolobos]

Pewnie, ze zly do tego platny.

 

Usun jeszcze:

C:\WINDOWS\system32\gscatkvv.ini

 

Oraz pozostalosci po infekcji z pendrive'a:

Wklej do notatnika:

REGEDIT4

 

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4676fcc6-8b0c-11dc-b506-0019b97fd9ca}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{555e9520-9069-11dc-b508-0019b97fd9ca}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83ce998d-0b11-11dd-b5de-0019b97fd9ca}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2d9bf2e-7815-11dc-b4ec-0019b97fd9ca}]

 

Zapisz jako fix.reg i uruchom.

 

PS. Zapewne nie uzyles Flash Disinfector jak radzilem?

[Niemiec]

to, ze jest soft platny nie jest przeszkoda, ale przekaze wlascicielowi, ze nalezy pomyslec nad zmiana i wieksza iloscia rozsadku przy korzystaniu z komputera.

 

Flash Disinfector zostal uzyty choc jest to pen na ktorym tylko przenioslem soft do odkazania na tego lapka.

 

ini usuniete, reg dodany.

 

czy to wszystko??

jak tak to dziekuje bardzo.

 

 

EDIT.

 

czy po uzyciu tego Flash Disinfector normalnym jest pojawienie sie na wszstkich dyskach lokalnych i dezinfekowanym penie katalogu autorun.inf ??

Edytowane 29 Lipca 2008 przez Niemiec

[Kolobos]

Tak, katalogow tych nie wolno usuwac. Jezeli wykonales to juz wszystko powinno byc ok.

[Niemiec]

wielkie dzieki.

 

nie zamykaj, bo jutro wrzuce logi z drugiego lapka, ktory mial stycznosc z penem 8O

[Niemiec]

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:24:19, on 2008-08-05
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe
C:\Program Files\ArcaBit\ArcaUpdate\update.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe
C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe
C:\Program Files\ArcaBit\Common\TaskScheduler.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe
C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\trojan\HiJackThis.exe
C:\Program Files\WinRAR\WinRAR.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [instantAccess] C:\Program Files\ScannerU\TBRIDGE\BIN\InstantAccess.exe /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\Program Files\ScannerU\TBRIDGE\BIN\RegisterDropHandler.exe
O4 - HKLM\..\Run: [ABRegmon] C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe
O4 - HKLM\..\Run: [ArcaCheck] C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe /startup
O4 - HKLM\..\Run: [AvMenu] C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\Program Files\ScannerU\TBRIDGE\BIN\RegisterDropHandler.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - http://www.mks.com.pl/skaner2k7/SkanerOnline.cab
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O20 - Winlogon Notify: TS_LogonListener - C:\WINDOWS\SYSTEM32\TS_LogonListener.dll
O23 - Service: ArcaBit FileMonitor (ABFileMon) - ArcaBit - C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe
O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit - C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe
O23 - Service: ArcaBit.Core.Configurator - ArcaBit - C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe
O23 - Service: ArcaBit.Core.LoggingService - ArcaBit - C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe
O23 - Service: ArcaBit.TaskScheduler - ArcaBit sp. z o.o. - C:\Program Files\ArcaBit\Common\TaskScheduler.exe
O23 - Service: ArcaBit Update Service (AVUpdate) - ArcaBit - C:\Program Files\ArcaBit\ArcaUpdate\update.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5431 bytes

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - combo

ComboFix 08-07-28.4 - Marek 2008-08-05 22:09:22.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.393 [GMT 2:00]
Running from: c:\trojan\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Marek\lsass.exe
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\bKSDJiPo.ini
C:\WINDOWS\system32\bKSDJiPo.ini2
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\oPiJDSKb.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rQHXOHbX.dll
C:\WINDOWS\system32\urQHxuVn.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 22:03 . 2008-08-05 22:03 <DIR> d-------- C:\trojan
2008-08-05 22:03 . 2008-07-29 11:09 103,992 --a------ C:\Flash_Disinfector.exe
2008-08-05 22:03 . 2008-07-29 21:08 510 --a------ C:\pendrive_fix.reg
2008-08-05 21:38 . 2001-10-26 16:57 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-08-05 21:37 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-22 21:03 . 2008-07-22 21:03 <DIR> d-------- C:\WINDOWS\system32\kBin02

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 12:25 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-04 12:20 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2005-09-07 14:19 418 ----a-w C:\Program Files\INSTALL.LOG
1998-04-30 12:56 129,024 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-15 18:17 196608]
"InstantAccess"="C:\Program Files\ScannerU\TBRIDGE\BIN\InstantAccess.exe" [1998-07-08 07:04 37376]
"RegisterDropHandler"="C:\Program Files\ScannerU\TBRIDGE\BIN\RegisterDropHandler.exe" [1998-07-08 07:20 22528]
"ABRegmon"="C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe" [2007-07-12 10:40 303104]
"ArcaCheck"="C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe" [2007-07-27 13:57 836912]
"AvMenu"="C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe" [2008-01-29 15:12 481800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="C:\Program Files\ScannerU\TBRIDGE\BIN\RegisterDropHandler.exe" [1998-07-08 07:20 22528]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Action Manager 32.lnk - C:\Program Files\ScannerU\AM32.exe [2006-08-25 17:28:41 57344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TS_LogonListener]
2007-01-12 16:41 101376 C:\WINDOWS\system32\TS_LogonListener.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^DSLMON.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\DSLMON.lnk
backup=C:\WINDOWS\pss\DSLMON.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\U.S. Robotics Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
--a------ 2005-11-16 11:57 2207744 D:\Program Files\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-10-13 17:33 19975208 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"D:\\Program Files\\Gadu-Gadu\\ggphone\\ggphone.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 ABTDI;ABTDI;C:\Program Files\ArcaBit\ArcaVir\ABTDI.sys [2007-05-08 14:45]
R2 ABFileMon;ArcaBit FileMonitor;C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe [2007-10-09 12:10]
R2 ArcaBit.TaskScheduler;ArcaBit.TaskScheduler;C:\Program Files\ArcaBit\Common\TaskScheduler.exe [2007-01-12 16:42]
R2 AVUpdate;ArcaBit Update Service;C:\Program Files\ArcaBit\ArcaUpdate\update.exe [2007-02-26 16:04]
R3 ABFLT;ArcaBit File Monitor Driver;C:\PROGRA~1\ARCABIT\ARCAVIR\ABFLT.sys [2007-09-12 14:37]
R3 ArcaBit.Core.Configurator;ArcaBit.Core.Configurator;C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe [2007-01-11 16:01]
R3 NtApm;Sterownik interfejsu NT Apm/Legacy;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-10-26 19:03]
S2 BulkUsb;USB Scanner;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 ArcaBit.Core.LoggingService;ArcaBit.Core.LoggingService;C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe [2007-01-11 16:03]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2004-09-07 16:42]
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 21:08]
S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;C:\WINDOWS\system32\DRIVERS\WebSTAR.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43f1e8a8-ec82-11dc-aa6c-0014c102cf03}]
\Shell\Auto\command - K:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99524f60-a238-11da-87e8-4d6564696130}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)
MSConfigStartUp-Eraser - C:\Program Files\Eraser\eraser.exe
MSConfigStartUp-Internet Download Accelerator - C:\Program Files\IDA\ida.exe
MSConfigStartUp-Odkurzacz-MCD - C:\Program Files\Odkurzacz\odk_mcd.exe
MSConfigStartUp-WooCnxMon - C:\PROGRA~1\NEOSTR~1\CnxMon.exe
MSConfigStartUp-WOOTASKBARICON - C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
MSConfigStartUp-WOOWATCH - C:\PROGRA~1\NEOSTR~1\Watch.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.onet.pl/
O8 -: Download ALL with IDA
O8 -: Download with IDA
O8 -: E&ksportuj do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O16 -: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} - hxxp://mks.com.pl/skaner/SkanerOnline.cab
C:\WINDOWS\Downloaded Program Files\SkanerOnline.inf
C:\WINDOWS\system32\SkanerOnlineUninstall.exe
C:\WINDOWS\system32\SkanerOnline.dll

O16 -: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner2k7/SkanerOnline.cab
C:\WINDOWS\Downloaded Program Files\SkanerOnline.inf
C:\WINDOWS\system32\SkanerOnlineUninstall.exe
C:\WINDOWS\system32\SkanerOnline.dll

O16 -: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} - hxxps://www.bph.pl/pi/components/SignActivX.cab
C:\WINDOWS\Downloaded Program Files\SignActivX.ocx

O16 -: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab
C:\WINDOWS\Downloaded Program Files\SkanerOnline.inf
C:\WINDOWS\system32\SkanerOnlineUninstall.exe
C:\WINDOWS\system32\SkanerOnline.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 22:18:10
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\WLTRYSVC.EXE
C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\PROGRAM FILES\ARCABIT\ARCAVIR\NETMONSV.EXE
.
**************************************************************************
.
Completion time: 2008-08-05 22:20:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-05 20:19:58

Pre-Run: 487,735,296 bajtów wolnych
Post-Run: 425,295,872 bajt˘w wolnych

176 --- E O F --- 2008-07-04 09:50:35

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - silent

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Creative Detector" = ""C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R" ["Creative Technology Ltd"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"InstantAccess" = "C:\Program Files\ScannerU\TBRIDGE\BIN\InstantAccess.exe /h" [null data]
"RegisterDropHandler" = "C:\Program Files\ScannerU\TBRIDGE\BIN\RegisterDropHandler.exe" [empty string]
"ABRegmon" = "C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe" ["ArcaBit"]
"ArcaCheck" = "C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe /startup" ["ArcaBit"]
"AvMenu" = "C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe" ["ArcaBit"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> TS_LogonListener\DLLName = "TS_LogonListener.dll" ["ArcaBit sp. z o.o."]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "F:\Narzędziowe\7-Zip\7-zip.dll" ["Igor Pavlov"]
ArcaVirShell\(Default) = "{D7824897-C8DC-49b4-B790-30F7ED16A5FD}"
-> {HKLM...CLSID} = "ArcaVir Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\ArcaBit\arcavir\avshell.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "F:\Narzędziowe\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
ArcaVirShell\(Default) = "{D7824897-C8DC-49b4-B790-30F7ED16A5FD}"
-> {HKLM...CLSID} = "ArcaVir Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\ArcaBit\arcavir\avshell.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoViewOnDrive" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoChangeKeyboardNavigationIndicators" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSharedDocuments" = (REG_DWORD) dword:0x00000001
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Remove Shared Documents from My Computer}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoRemoteRecursiveEvents" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"ClassicShell" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

"Colors" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"NoInternetOpenWith" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "None"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

CTPlayAudioOnArrival\
"Provider" = "@C:\Program Files\Creative\MediaSource\CTCMS.CRL,-14345"
"InvokeProgID" = "CTAutoPL.AudioCDPlayer.1"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CTAutoPL.AudioCDPlayer.1\shell\open\command\(Default) = ""C:\Program Files\Creative\MediaSource\CTCMS.exe" /T=CLASSKEY_AudioCD IN %L PlayNow" ["Creative Technology Ltd"]

CTPlayMusicFilesOnArrival\
"Provider" = "@C:\Program Files\Creative\MediaSource\CTCMS.CRL,-14345"
"InvokeProgID" = "CTAutoPL.MusicFilesPlayer.1"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CTAutoPL.MusicFilesPlayer.1\shell\open\command\(Default) = ""C:\Program Files\Creative\MediaSource\CTCMS.exe" /Organizer" ["Creative Technology Ltd"]

MPCPlayCDAudioOnArrival\
"Provider" = "Media Player Classi"
"InvokeProgID" = "MPC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\MPC.CDAudio\shell\play\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %L /cd" [file not found]

MPCPlayDVDMovieOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MPC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\MPC.DVDMovie\shell\play\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %L /dvd" [file not found]

NeroAutoPlay7CDAudio\
"Provider" = "Nero SoundTrax"
"InvokeProgID" = "Nero.AutoPlay3"
"InvokeVerb" = "HandleCDBurningOnArrival_CDAudio"
HKLM\SOFTWARE\Classes\Nero.AutoPlay3\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = "F:\Nero SoundTrax\SoundTrax.exe /" ["Nero AG"]

NeroAutoPlay7CopyCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay3"
"InvokeVerb" = "PlayMusicFilesOnArrival_CopyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay3\shell\PlayMusicFilesOnArrival_CopyCD\command\(Default) = "F:\Core\nero.exe /Dialog:DiscCopy /Drive:%L" ["Nero AG"]

NeroAutoPlay7PlayAudioCD\
"Provider" = "Nero SoundTrax"
"InvokeProgID" = "Nero.AutoPlay3"
"InvokeVerb" = "PlayCDAudioOnArrival_PlayAudioCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay3\shell\PlayCDAudioOnArrival_PlayAudioCD\command\(Default) = "F:\Nero SoundTrax\SoundTrax.exe /Play /Drive:%L" ["Nero AG"]

PDVDPlayDVDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" "%L"" ["CyberLink Corp."]


Startup items in "Marek" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Action Manager 32" -> shortcut to: "C:\Program Files\ScannerU\AM32.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Poszukaj"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{9819CC0E-9669-4D01-9CD7-2C66DA43AC6C}\

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ArcaBit FileMonitor, ABFileMon, ""C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe"" ["ArcaBit"]
ArcaBit NetMonitor, ABNetMon, "C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe" ["ArcaBit"]
ArcaBit Update Service, AVUpdate, "C:\Program Files\ArcaBit\ArcaUpdate\update.exe" ["ArcaBit"]
ArcaBit.Core.Configurator, ArcaBit.Core.Configurator, ""C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe"" ["ArcaBit"]
ArcaBit.TaskScheduler, ArcaBit.TaskScheduler, ""C:\Program Files\ArcaBit\Common\TaskScheduler.exe"" ["ArcaBit sp. z o.o."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
U.S. Robotics Wireless LAN Service, wltrysvc, "C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe" [null data]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]


---------- (launch time: 2008-08-05 22:21:20)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 38 seconds.
---------- (total run time: 125 seconds)

LOL 4 spoilerow w poscie juz nie przyjmuje i 2 ostatnie rozwija 8O SDfixa dam pozniej 8O Edytowane 5 Sierpnia 2008 przez Niemiec

[Kolobos]

Usun:

C:\WINDOWS\system32\kBin02

 

Daj tez log z sdfix.

 

Utworz i uruchom taki fix.reg:

REGEDIT4

 

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99524f60-a238-11da-87e8-4d6564696130}]

[Niemiec]

log z sdfix robiony wczoraj razem z reszta:

Edytowane 6 Sierpnia 2008 przez Kolobos

[Kolobos]

Masz uruchomic system w trybie awaryjnym i tam uzyc SDFix.

[Niemiec]

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - sdfix

SDFix: Version 1.209
Run by Marek on 2008-08-07 at 10:59

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\trojan\SDFix\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 11:06:22
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\\Program Files\\Gadu-Gadu\\gg.exe"="D:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program glowny"
"C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"="C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE:*:Enabled:Firefox"
"D:\\Program Files\\Gadu-Gadu\\ggphone\\ggphone.exe"="D:\\Program Files\\Gadu-Gadu\\ggphone\\ggphone.exe:*:Disabled:Internetowe polaczenia telefoniczne"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Tue 2 Aug 2005 864 A.SH. --- "C:\nlmmvefv.sys"
Wed 13 Oct 2004 1,694,208 A.SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 22 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5e981018652bb577d09bbdd87faec116\BIT2.tmp"

Finished!

[Kolobos]

Zostal do kasacji tylko ten pliki:

Tue 2 Aug 2005 864 A.SH. --- "C:\nlmmvefv.sys"

 

Reszta wyglada ok.

[Niemiec]

i jeszcze jedna maszyna 8O zasdniczo dziala niezle, ale sa klopoty z otwieraniem czesci stron www. jakis czas temu wywalalem z niej upierdliwca pt "antivirus2009"

 

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - combofix

ComboFix 08-07-28.4 - Marek 2008-08-20 10:48:09.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.546 [GMT 2:00]

Running from: C:\Documents and Settings\Marek\Pulpit\trojan\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

- REDUCED FUNCTIONALITY MODE -

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\csrss.exe

C:\WINDOWS\pskt.ini

C:\WINDOWS\system32\mcrh.tmp

 

.

((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))

.

 

2008-08-20 10:41 . 2008-08-20 10:41 58,116 --a------ C:\WINDOWS\system32\raehnxsg.dll

2008-08-18 19:16 . 2008-08-20 10:44 1,509,969 ---hs---- C:\WINDOWS\system32\igwirdja.ini

2008-08-18 19:16 . 2008-08-18 19:16 86,016 --a------ C:\WINDOWS\system32\ajdriwgi.dll

2008-08-18 19:13 . 2008-08-18 19:13 2,048 --a------ C:\WINDOWS\system32\mbnknmai.exe

2008-08-18 19:11 . 2008-08-18 19:11 95,744 --a------ C:\WINDOWS\system32\wxamqsgh.dll

2008-08-18 18:35 . 2008-08-18 18:35 128 --a------ C:\Documents and Settings\Marek\index.exe

2008-08-18 18:26 . 2008-08-18 18:26 355 --a------ C:\964.bat

2008-08-18 18:25 . 2008-08-18 18:25 34,304 --a------ C:\WINDOWS\system32\fccbXnOG.dll

2008-08-18 18:25 . 2008-08-18 18:25 34,304 --a------ C:\WINDOWS\system32\awttsRIA.dll

2008-08-17 19:12 . 2008-08-18 18:35 1,506,702 ---hs---- C:\WINDOWS\system32\yoiyennq.ini

2008-08-17 19:12 . 2008-08-17 19:12 2,048 --a------ C:\WINDOWS\system32\jaiimknx.exe

2008-08-17 19:10 . 2008-08-17 19:10 95,744 --a------ C:\WINDOWS\system32\jeiomxnf.dll

2008-08-17 11:24 . 2008-08-17 11:24 34,304 --a------ C:\WINDOWS\system32\yaywvwwV.dll

2008-08-17 11:24 . 2008-08-17 11:24 34,304 --a------ C:\WINDOWS\system32\jkkIBQhi.dll

2008-08-16 21:33 . 2008-08-16 21:33 <DIR> d-------- C:\Program Files\Lavasoft

2008-08-16 21:21 . 2008-08-16 21:21 34,304 --a------ C:\WINDOWS\system32\wvUnMfed.dll

2008-08-16 21:21 . 2008-08-16 21:21 34,304 --a------ C:\WINDOWS\system32\vtUkkkhE.dll

2008-08-16 17:25 . 2008-08-17 19:09 1,506,402 ---hs---- C:\WINDOWS\system32\bjamjdlf.ini

2008-08-16 17:24 . 2008-08-16 17:24 2,048 --a------ C:\WINDOWS\system32\yldsaymd.exe

2008-08-16 17:21 . 2008-08-16 17:21 95,744 --a------ C:\WINDOWS\system32\fbvvjeng.dll

2008-08-15 17:27 . 2008-08-15 17:27 2,048 --a------ C:\WINDOWS\system32\fedbospk.exe

2008-08-15 17:24 . 2008-08-15 17:24 1,499,956 ---hs---- C:\WINDOWS\system32\ulsfagfh.ini

2008-08-15 17:21 . 2008-08-15 17:21 95,744 --a------ C:\WINDOWS\system32\pmraddus.dll

2008-08-15 17:19 . 2008-08-15 17:19 95,744 --a------ C:\WINDOWS\system32\kgeglglc.dll

2008-08-14 09:48 . 2008-08-14 09:49 1,499,176 ---hs---- C:\WINDOWS\system32\qcboxaox.ini

2008-08-14 09:48 . 2008-08-14 09:48 97,792 --a------ C:\WINDOWS\system32\xoaxobcq.dll

2008-08-14 09:45 . 2008-08-14 09:45 2,048 --a------ C:\WINDOWS\system32\anmibtpq.exe

2008-08-14 09:42 . 2008-08-18 20:49 110,442 --a------ C:\WINDOWS\BM21150afd.xml

2008-08-14 09:42 . 2008-08-14 09:42 107,520 --a------ C:\WINDOWS\system32\amgltscp.dll

2008-08-14 06:40 . 2008-08-14 06:40 1,499,116 ---hs---- C:\WINDOWS\system32\ewwwmusa.ini

2008-08-14 06:39 . 2008-08-20 10:48 358,824 --ahs---- C:\WINDOWS\system32\kjPoUBeg.ini2

2008-08-14 06:39 . 2008-08-20 10:48 358,824 --ahs---- C:\WINDOWS\system32\kjPoUBeg.ini

2008-08-14 06:39 . 2008-08-14 06:39 295,936 --a------ C:\WINDOWS\system32\geBUoPjk.dll

2008-08-14 06:34 . 2008-08-14 06:34 48,640 --a------ C:\WINDOWS\system32\tuvVLeEu.dll

2008-08-13 21:45 . 2008-08-13 21:45 77 --a------ C:\Documents and Settings\Marek\6828.bat

2008-08-10 18:14 . 2008-08-10 18:14 <DIR> d-------- C:\WINDOWS\system32\pl

2008-08-10 18:14 . 2008-08-10 18:14 <DIR> d-------- C:\WINDOWS\system32\bits

2008-08-10 18:14 . 2008-08-10 18:14 <DIR> d-------- C:\WINDOWS\l2schemas

2008-08-10 18:11 . 2008-08-10 18:14 <DIR> d-------- C:\WINDOWS\ServicePackFiles

2008-08-10 18:01 . 2008-08-10 18:01 <DIR> d-------- C:\WINDOWS\EHome

2008-08-08 12:03 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys

2008-08-08 12:03 . 2004-08-03 22:41 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys

2008-08-08 12:03 . 2004-08-03 22:41 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys

2008-08-08 12:03 . 2004-07-17 22:55 129,045 --------- C:\WINDOWS\system32\drivers\cxthsfs2.cty

2008-08-08 12:03 . 2004-08-03 22:41 11,868 --------- C:\WINDOWS\system32\drivers\mdmxsdk.sys

2008-07-31 16:01 . 2008-07-31 16:02 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft

2008-07-25 15:26 . 2008-04-17 15:33 83,968 ---hs---- C:\Documents and Settings\Marek\lsass.exe

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-20 08:42 --------- d-----w C:\Program Files\Eraser

2008-08-16 19:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-08-15 19:10 --------- d-----w C:\Program Files\Odkurzacz

2008-08-14 08:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy

2008-08-14 08:33 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy

2008-08-08 08:32 --------- d-----w C:\Program Files\Google

2008-07-31 14:04 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys

2008-07-31 14:03 15,648 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys

2008-07-31 14:03 12,960 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys

2008-07-31 14:03 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe

2008-07-25 14:17 --------- d-----w C:\Program Files\Cossacks

2008-07-15 20:34 --------- d-----w C:\Program Files\IrfanView

2008-07-14 19:42 --------- d-----w C:\Program Files\AutoMapa EU

2008-07-12 10:16 --------- d-----w C:\Documents and Settings\Marek\Dane aplikacji\Skype

2008-07-11 15:26 --------- d-----w C:\Program Files\Java

2008-07-04 10:27 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab

2008-06-20 17:48 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 17:48 246,784 ------w C:\WINDOWS\system32\dllcache\mswsock.dll

2008-06-20 17:48 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys

2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys

2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys

2008-06-14 17:36 273,024 ------w C:\WINDOWS\system32\dllcache\bthport.sys

2004-07-22 08:51 3,432,656 -c--a-w C:\Program Files\ManagedDX.CAB

2004-07-19 20:58 1,156,363 -c--a-w C:\Program Files\BDANT.cab

2004-07-19 20:53 976,020 -c--a-w C:\Program Files\BDAXP.cab

2004-07-16 12:30 3,858 -c--a-w C:\Program Files\directx redist.txt

2004-07-09 12:17 13,265,040 -c--a-w C:\Program Files\dxnt.cab

2004-07-09 07:13 703,080 -c--a-w C:\Program Files\BDA.cab

2004-07-09 07:13 15,493,481 -c--a-w C:\Program Files\DirectX.cab

2004-07-09 02:08 472,576 -c--a-w C:\Program Files\dxsetup.exe

2004-07-09 02:08 2,242,560 -c--a-w C:\Program Files\dsetup32.dll

2004-07-09 01:03 62,976 -c--a-w C:\Program Files\DSETUP.dll

2003-08-05 12:25 194 -c--a-w C:\Program Files\EraserSetup.asc

2003-08-05 12:24 2,833,921 -c--a-w C:\Program Files\EraserSetup.exe

2003-08-05 12:23 4,600 -c--a-w C:\Program Files\History.txt

2003-07-25 08:33 6,159 -c--a-w C:\Program Files\README.txt

2002-01-07 03:30 18,351 -c--a-w C:\Program Files\COPYING.txt

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57DF73C0-833C-48B7-9146-1E18930D57FF}]

2008-08-14 06:34 48640 --a------ C:\WINDOWS\system32\tuvVLeEu.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C401AC3D-E935-414F-9D59-12942C2E42E1}]

2008-08-14 06:39 295936 --a------ C:\WINDOWS\system32\geBUoPjk.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Eraser"="C:\Program Files\Eraser\eraser.exe" [2003-07-25 11:15 536576]

"H/PC Connection Agent"="D:\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 15:57 1289000]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 16:18 94208]

"Odkurzacz-MCD"="C:\Program Files\Odkurzacz\odk_mcd.exe" [2008-03-03 15:44 266240]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 19:21 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

"ABRegmon"="C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe" [2007-07-12 10:40 303104]

"ArcaCheck"="C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe" [2007-07-27 13:57 836912]

"AvMenu"="C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe" [2008-01-29 16:12 481800]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]

"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 01:06 487424]

"22263961"="C:\WINDOWS\system32\ajdriwgi.dll" [2008-08-18 19:16 86016]

"BM21150afd"="C:\WINDOWS\system32\wxamqsgh.dll" [2008-08-18 19:11 95744]

"LSA Shellu"="C:\Documents and Settings\Marek\lsass.exe" [2008-04-17 15:33 83968]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 19:21 15360]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{57DF73C0-833C-48B7-9146-1E18930D57FF}"= "C:\WINDOWS\system32\tuvVLeEu.dll" [2008-08-14 06:34 48640]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]

2004-11-10 02:19 38912 C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TS_LogonListener]

2007-01-12 16:41 101376 C:\WINDOWS\system32\TS_LogonListener.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvVLeEu]

2008-08-14 06:34 48640 C:\WINDOWS\system32\tuvVLeEu.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.divxa32"= DivXa32.acm

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geBUoPjk

Notification Packages REG_MULTI_SZ scecli AsWlnPkg

 

[HKLM\~\startupfolder\C:^Documents and Settings^Marek^Menu Start^Programy^Autostart^Registration Heroes of Might & Magic 5 - Hammers of Fate.LNK]

path=C:\Documents and Settings\Marek\Menu Start\Programy\Autostart\Registration Heroes of Might & Magic 5 - Hammers of Fate.LNK

backup=C:\WINDOWS\pss\Registration Heroes of Might & Magic 5 - Hammers of Fate.LNKStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Marek^Menu Start^Programy^Autostart^Registration Heroes of Might & Magic 5.LNK]

path=C:\Documents and Settings\Marek\Menu Start\Programy\Autostart\Registration Heroes of Might & Magic 5.LNK

backup=C:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

--a--c--- 2005-01-19 21:40 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

--a--c--- 2004-09-23 12:41 860160 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

--a--c--- 2004-10-14 09:11 1388544 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a--c--- 2006-04-13 01:57 36972 C:\Program Files\Java\jre1.5.0\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]

--a--c--- 2004-12-08 18:44 184320 C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\U.S. Robotics\\EasyConfigurator\\EasyConfigurator.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"D:\\Gry Filipa\\Age of Empires III\\age3x.exe"=

"D:\Microsoft ActiveSync\rapimgr.exe"= D:\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"D:\Microsoft ActiveSync\wcescomm.exe"= D:\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"D:\Microsoft ActiveSync\WCESMgr.exe"= D:\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"D:\\Gry Filipa\\Bitwa\\game.dat"=

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

 

R1 ABTDI;ABTDI;C:\Program Files\ArcaBit\ArcaVir\ABTDI.sys [2007-05-08 14:45]

R2 ABFileMon;ArcaBit FileMonitor;C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe [2007-10-10 07:55]

R2 ArcaBit.TaskScheduler;ArcaBit.TaskScheduler;C:\Program Files\ArcaBit\Common\TaskScheduler.exe [2007-01-12 16:42]

R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2008-04-14 19:21]

R2 AVUpdate;ArcaBit Update Service;C:\Program Files\ArcaBit\ArcaUpdate\update.exe [2007-02-26 16:04]

R3 ABFLT;ArcaBit File Monitor Driver;C:\PROGRA~1\ArcaBit\ArcaVir\ABFLT.sys [2007-09-12 14:37]

R3 ArcaBit.Core.Configurator;ArcaBit.Core.Configurator;C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe [2007-01-11 16:01]

R3 ArcaBit.Core.LoggingService;ArcaBit.Core.LoggingService;C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe [2007-01-11 16:03]

R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 18:26]

S2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe []

S3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2004-09-02 14:30]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Cognizance REG_MULTI_SZ ASChannel

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c98c58e-cbbe-11db-bbd4-001560c6ebd0}]

\Shell\Auto\command - RavMonE.exe e

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f0ccbe4-cc45-11dc-be73-001560c6ebd0}]

\Shell\Auto\command - H:\Start.exe

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

 

*Newly Created Service* - CATCHME

.

- - - - ORPHANS REMOVED - - - -

 

HKCU-Run-Gadu-Gadu - C:\Program Files\Gadu-Gadu\gg.exe

HKLM-Run-MsgCenterExe - C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

HKLM-Run-SYSTEM.rt32 - C:\DOCUME~1\Marek\USTAWI~1\Temp\lsass.exe

 

 

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.onet.pl/

R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

R1 -: HKCU-Internet Connection Wizard,ShellNext = https://www.printme.com/support/adobe/Print...orWindowsXP.exe

O8 -: E&ksport do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 -: E&ksportuj do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O18 -: Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

 

O16 -: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab

C:\WINDOWS\Downloaded Program Files\SkanerOnline.inf

C:\WINDOWS\system32\SkanerOnlineUninstall.exe

C:\WINDOWS\system32\SkanerOnline.dll

 

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-20 10:49:07

Windows 5.1.2600 Dodatek Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\system32\winlogon.exe

-> C:\WINDOWS\system32\tuvVLeEu.dll

 

PROCESS: C:\WINDOWS\system32\lsass.exe

-> C:\WINDOWS\system32\geBUoPjk.dll

-> C:\Documents and Settings\Marek\lsass.exe

.

Completion time: 2008-08-20 10:52:29

ComboFix-quarantined-files.txt 2008-08-20 08:52:22

 

Pre-Run: 1,762,844,672 bajtów wolnych

Post-Run: 1,747,656,704 bajtów wolnych

 

249 --- E O F --- 2008-08-10 21:07:39

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - hijackthis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:53:52, on 2008-08-20

Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\ArcaBit\ArcaUpdate\update.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe

C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe

C:\Program Files\ArcaBit\Common\TaskScheduler.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe

C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Documents and Settings\Marek\lsass.exe

C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe

C:\Program Files\Eraser\eraser.exe

D:\Microsoft ActiveSync\Wcescomm.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

D:\MICROS~1\rapimgr.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Marek\Pulpit\trojan\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.printme.com/support/adobe/Print...orWindowsXP.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [ABRegmon] C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe

O4 - HKLM\..\Run: [ArcaCheck] C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe /startup

O4 - HKLM\..\Run: [AvMenu] C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [22263961] rundll32.exe "C:\WINDOWS\system32\ajdriwgi.dll",b

O4 - HKLM\..\Run: [bM21150afd] Rundll32.exe "C:\WINDOWS\system32\wxamqsgh.dll",s

O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Marek\lsass.exe

O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide

O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Microsoft ActiveSync\Wcescomm.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\MICROS~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\MICROS~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Utwórz Ulubione dla urządzenia przenośnego... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\MICROS~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com

O15 - Trusted Zone: http://mks.com.pl

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virussca...can_unicode.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174480013328

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: ArcaBit FileMonitor (ABFileMon) - ArcaBit - C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe

O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit - C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe

O23 - Service: ArcaBit.Core.Configurator - ArcaBit - C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe

O23 - Service: ArcaBit.Core.LoggingService - ArcaBit - C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe

O23 - Service: ArcaBit.TaskScheduler - ArcaBit sp. z o.o. - C:\Program Files\ArcaBit\Common\TaskScheduler.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ArcaBit Update Service (AVUpdate) - ArcaBit - C:\Program Files\ArcaBit\ArcaUpdate\update.exe

O23 - Service: Harmonogram automatycznej usługi LiveUpdate - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

--

End of file - 7766 bytes

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - sdfix

 

SDFix: Version 1.209

Run by Marek on 2008-08-20 at 11:06

 

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\DOCUME~1\Marek\Pulpit\trojan\SDFix\SDFix

 

Checking Services :

 

 

Restoring Default Security Values

Restoring Default Hosts File

 

Rebooting

 

 

Checking Files :

 

Trojan Files Found:

 

C:\WINDOWS\system32\tuvVLeEu.dll - Deleted

C:\Documents and Settings\Marek\lsass.exe - Deleted

 

 

 

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-20 11:16:57

Windows 5.1.2600 Dodatek Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

scanning hidden registry entries ...

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

"TracesProcessed"=dword:0000004b

"TracesSuccessful"=dword:00000002

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\U.S. Robotics\\EasyConfigurator\\EasyConfigurator.exe"="C:\\Program Files\\U.S. Robotics\\EasyConfigurator\\EasyConfigurator.exe:*:Enabled:LaunchAnywhere GUI"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"

"D:\\Gry Filipa\\Age of Empires III\\age3x.exe"="D:\\Gry Filipa\\Age of Empires III\\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs"

"D:\\Microsoft ActiveSync\\rapimgr.exe"="D:\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"

"D:\\Microsoft ActiveSync\\wcescomm.exe"="D:\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"

"D:\\Microsoft ActiveSync\\WCESMgr.exe"="D:\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

"D:\\Gry Filipa\\Bitwa\\game.dat"="D:\\Gry Filipa\\Bitwa\\game.dat:*:Enabled:Bitwa o —r˘dziemie "

"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"

"D:\\Microsoft ActiveSync\\rapimgr.exe"="D:\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"

"D:\\Microsoft ActiveSync\\wcescomm.exe"="D:\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"

"D:\\Microsoft ActiveSync\\WCESMgr.exe"="D:\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

 

Remaining Files :

 

 

File Backups: - C:\DOCUME~1\Marek\Pulpit\trojan\SDFix\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Thu 31 Jul 2008 7,673,177 ...H. --- "C:\WINDOWS\SoftwareDistribution\Download\1df60e2d17c7a7cd18c479e61c6f5678\BIT7.tmp"

Thu 31 Jul 2008 8,843,004 ...H. --- "C:\WINDOWS\SoftwareDistribution\Download\5e8a8c4e3fdc3a6b3a3ac1083accf81e\BIT9.tmp"

Fri 1 Aug 2008 8,947,240 ...H. --- "C:\WINDOWS\SoftwareDistribution\Download\a756e9250f13962d91bb11bfbce0062d\BIT3.tmp"

Thu 31 Jul 2008 4,002,699 ...H. --- "C:\WINDOWS\SoftwareDistribution\Download\c9e0a1f39e0cc4f28d528e7663acf15f\BIT6.tmp"

 

Finished!

 

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - silentrunners

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Eraser" = "C:\Program Files\Eraser\eraser.exe -hide" ["-"]

"H/PC Connection Agent" = ""D:\Microsoft ActiveSync\Wcescomm.exe"" [MS]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" ["Nero AG"]

"Odkurzacz-MCD" = "C:\Program Files\Odkurzacz\odk_mcd.exe" ["Franmo Software"]

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"ABRegmon" = "C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe" ["ArcaBit"]

"ArcaCheck" = "C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe /startup" ["ArcaBit"]

"AvMenu" = "C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe" ["ArcaBit"]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"Sony Ericsson PC Suite" = ""C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions" [null data]

"22263961" = "rundll32.exe "C:\WINDOWS\system32\ajdriwgi.dll",b" [MS]

"BM21150afd" = "Rundll32.exe "C:\WINDOWS\system32\wxamqsgh.dll",s" [MS]

"LSA Shellu" = "C:\Documents and Settings\Marek\lsass.exe" [null data]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "AcroIEHlprObj Class"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{57DF73C0-833C-48B7-9146-1E18930D57FF}\(Default) = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\tuvVLeEu.dll" [null data]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]

{C401AC3D-E935-414F-9D59-12942C2E42E1}\(Default) = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\geBUoPjk.dll" [null data]

{DF21F1DB-80C6-11D3-9483-B03D0EC10000}\(Default) = "HP Credential Manager for ProtectTools"

-> {HKLM...CLSID} = "HP Credential Manager for ProtectTools"

\InProcServer32\(Default) = "C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll" ["Cognizance Corporation"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{666C78C1-A9B6-4AB4-94ED-DC238C81E925}" = "Document Manager"

-> {HKLM...CLSID} = "Document Manager (Shell Extension)"

\InProcServer32\(Default) = "C:\Program Files\HPQ\IAM\Bin\SFSShell.dll" ["Cognizance Corporation"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{A4D78B20-6E05-1069-8758-4E73FD83DEAD}" = "QCopy"

-> {HKLM...CLSID} = "QCopy"

\InProcServer32\(Default) = "dropcpyr.dll" [null data]

"{8BE13461-936F-11D1-A87D-444553540000}" = "Eraser Shell Extension"

-> {HKLM...CLSID} = "Eraser Shell Extension"

\InProcServer32\(Default) = "C:\PROGRA~1\Eraser\erasext.dll" ["-"]

"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"

-> {HKLM...CLSID} = "Urządzenie przenośne"

\InProcServer32\(Default) = "D:\MICROS~1\Wcesview.dll" [MS]

"{D7824897-C8DC-49b4-B790-30F7ED16A5FD}" = "ArcaVir Shell Extension"

-> {HKLM...CLSID} = "ArcaVir Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\ArcaBit\arcavir\avshell.dll" [null data]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{03DAACC5-10BA-4E3E-9D54-2A569F6B4B87}" = "Sony Ericsson File Manager"

-> {HKLM...CLSID} = "Sony Ericsson File Manager"

\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]

"{738D66C6-0149-4D40-84E4-A7BB2D0CE949}" = "Sony Ericsson File Manager"

-> {HKLM...CLSID} = "Sony Ericsson File Manager"

\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{57DF73C0-833C-48B7-9146-1E18930D57FF}" = "*o*o)*E*" (unwritable string)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\tuvVLeEu.dll" [null data]

 

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\

<<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\geBUoPjk"

 

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\

<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

<<!>> OneCard\DLLName = "C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll" ["Cognizance Corporation"]

<<!>> TS_LogonListener\DLLName = "TS_LogonListener.dll" ["ArcaBit sp. z o.o."]

<<!>> tuvVLeEu\DLLName = "tuvVLeEu.dll" [null data]

 

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

 

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

ArcaVirShell\(Default) = "{D7824897-C8DC-49b4-B790-30F7ED16A5FD}"

-> {HKLM...CLSID} = "ArcaVir Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\ArcaBit\arcavir\avshell.dll" [null data]

Document Manager\(Default) = "{666C78C1-A9B6-4AB4-94ED-DC238C81E925}"

-> {HKLM...CLSID} = "Document Manager (Shell Extension)"

\InProcServer32\(Default) = "C:\Program Files\HPQ\IAM\Bin\SFSShell.dll" ["Cognizance Corporation"]

Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"

-> {HKLM...CLSID} = "Eraser Shell Extension"

\InProcServer32\(Default) = "C:\PROGRA~1\Eraser\erasext.dll" ["-"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

Document Manager\(Default) = "{666C78C1-A9B6-4AB4-94ED-DC238C81E925}"

-> {HKLM...CLSID} = "Document Manager (Shell Extension)"

\InProcServer32\(Default) = "C:\Program Files\HPQ\IAM\Bin\SFSShell.dll" ["Cognizance Corporation"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

ArcaVirShell\(Default) = "{D7824897-C8DC-49b4-B790-30F7ED16A5FD}"

-> {HKLM...CLSID} = "ArcaVir Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\ArcaBit\arcavir\avshell.dll" [null data]

Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"

-> {HKLM...CLSID} = "Eraser Shell Extension"

\InProcServer32\(Default) = "C:\PROGRA~1\Eraser\erasext.dll" ["-"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

 

Default executables:

--------------------

 

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"

 

 

Group Policies {policy setting}:

--------------------------------

 

Note: detected settings may not have any effect.

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"NoDrives" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"NoDrives" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

 

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideStartupScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Devices: Allow undock without having to log on}

 

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideStartupScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

 

 

Windows Portable Device AutoPlay Handlers

-----------------------------------------

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

 

DVDDecrypterPlayDVDMovieOnArrival\

"Provider" = "DVD Decrypter"

"InvokeProgID" = "DVDDecrypter"

"InvokeVerb" = "PlayDVDMovieOnArrival_Decrypt"

HKLM\SOFTWARE\Classes\DVDDecrypter\shell\PlayDVDMovieOnArrival_Decrypt\Command\(Default) = ""E:\Program Files\DVD Decrypter\DVDDecrypter.exe" /MODE READ /SOURCE "%1"" ["LIGHTNING UK!"]

 

IviDVDEventHandler\

"Provider" = "InterVideo WinDVD"

"InvokeProgID" = "Ivi.MediaFile"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = ""C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1" ["InterVideo Inc."]

 

IviVideoCDHandler\

"Provider" = "InterVideo WinDVD"

"InvokeProgID" = "Ivi.MediaFile"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = ""C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1" ["InterVideo Inc."]

 

MMJBAutoplayBURNERPLUS\

"Provider" = "MUSICMATCH Burner Plus"

"InvokeProgID" = "MMJB.BURN"

"InvokeVerb" = "Burn"

HKLM\SOFTWARE\Classes\MMJB.BURN\shell\Burn\Command\(Default) = ""C:\Program Files\Musicmatch\Musicmatch Jukebox\mmfwlaunch.exe""-mmjb"" ["Musicmatch, Inc."]

 

MMJBPlayCDAudioOnArrival\

"Provider" = "Musicmatch Jukebox"

"InvokeProgID" = "MMJB.AUDIOCD"

"InvokeVerb" = "Play"

HKLM\SOFTWARE\Classes\MMJB.AUDIOCD\shell\Play\command\(Default) = ""C:\Program Files\Musicmatch\Musicmatch Jukebox\mmjblaunch.exe" /AudioCD "%1"" ["Musicmatch, Inc."]

 

MMJBPlayMediaOnArrival\

"Provider" = "Musicmatch Jukebox"

"InvokeProgID" = "MMJB.MMJB"

"InvokeVerb" = "Play"

HKLM\SOFTWARE\Classes\MMJB.MMJB\shell\Play\command\(Default) = ""C:\Program Files\Musicmatch\Musicmatch Jukebox\mmjblaunch.exe" "%1"" ["Musicmatch, Inc."]

 

NeroAutoPlay7CDAudio\

"Provider" = "Nero SoundTrax"

"InvokeProgID" = "Nero.AutoPlay3"

"InvokeVerb" = "HandleCDBurningOnArrival_CDAudio"

HKLM\SOFTWARE\Classes\Nero.AutoPlay3\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = "C:\Program Files\Nero\Nero 7\Nero SoundTrax\SoundTrax.exe /" ["Nero AG"]

 

NeroAutoPlay7CopyCD\

"Provider" = "Nero Burning ROM"

"InvokeProgID" = "Nero.AutoPlay3"

"InvokeVerb" = "PlayMusicFilesOnArrival_CopyCD"

HKLM\SOFTWARE\Classes\Nero.AutoPlay3\shell\PlayMusicFilesOnArrival_CopyCD\command\(Default) = "C:\Program Files\Nero\Nero 7\Core\nero.exe /Dialog:DiscCopy /Drive:%L" ["Nero AG"]

 

NeroAutoPlay7PlayAudioCD\

"Provider" = "Nero SoundTrax"

"InvokeProgID" = "Nero.AutoPlay3"

"InvokeVerb" = "PlayCDAudioOnArrival_PlayAudioCD"

HKLM\SOFTWARE\Classes\Nero.AutoPlay3\shell\PlayCDAudioOnArrival_PlayAudioCD\command\(Default) = "C:\Program Files\Nero\Nero 7\Nero SoundTrax\SoundTrax.exe /Play /Drive:%L" ["Nero AG"]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 20

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{F2CF5485-4E02-4F68-819C-B92DE9277049}"

-> {HKLM...CLSID} = "&Links"

\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

 

Explorer Bars

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

 

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Poszukaj"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]

 

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\

"ButtonText" = "Create Mobile Favorite"

"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"

-> {HKLM...CLSID} = "Create Mobile Favorite"

\InProcServer32\(Default) = "D:\MICROS~1\INetRepl.dll" [MS]

 

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\

"MenuText" = "Utwórz Ulubione dla urządzenia przenośnego..."

"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"

-> {HKLM...CLSID} = "Create Mobile Favorite"

\InProcServer32\(Default) = "D:\MICROS~1\INetRepl.dll" [MS]

 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"

 

{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

 

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

ArcaBit FileMonitor, ABFileMon, ""C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe"" ["ArcaBit"]

ArcaBit NetMonitor, ABNetMon, "C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe" ["ArcaBit"]

ArcaBit Update Service, AVUpdate, "C:\Program Files\ArcaBit\ArcaUpdate\update.exe" ["ArcaBit"]

ArcaBit.Core.Configurator, ArcaBit.Core.Configurator, ""C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe"" ["ArcaBit"]

ArcaBit.Core.LoggingService, ArcaBit.Core.LoggingService, ""C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe"" ["ArcaBit"]

ArcaBit.TaskScheduler, ArcaBit.TaskScheduler, ""C:\Program Files\ArcaBit\Common\TaskScheduler.exe"" ["ArcaBit sp. z o.o."]

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]

Lavasoft Ad-Aware Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe"" ["Lavasoft"]

Local Communication Channel, ASChannel, "C:\WINDOWS\System32\svchost.exe -k Cognizance" {"C:\Program Files\HPQ\IAM\Bin\ASChnl.dll" ["Cognizance Corporation"]}

SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]

Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

 

 

Print Monitors:

---------------

 

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

HP Master Monitor\Driver = "HPBMMON.DLL" ["Hewlett-Packard"]

HP Mobile Printing Monitor\Driver = "HPMPMW.DLL" ["Hewlett-Packard"]

 

 

---------- (launch time: 2008-08-20 10:54:02)

<<!>>: Suspicious data at a malware launch point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 28 seconds.

---------- (total run time: 81 seconds)

[Niemiec]

tutaj log ze swiezego CF

 

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - combofix

ComboFix 08-08-18.05 - Marek 2008-08-20 13:55:24.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.479 [GMT 2:00]

Running from: C:\Documents and Settings\Marek\Pulpit\trojan\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Marek\UserData

C:\Documents and Settings\Marek\UserData\index.dat

C:\WINDOWS\BM21150afd.txt

C:\WINDOWS\BM21150afd.xml

C:\WINDOWS\pskt.ini

C:\WINDOWS\system32\amgltscp.dll

C:\WINDOWS\system32\anmibtpq.exe

C:\WINDOWS\system32\awttsRIA.dll

C:\WINDOWS\system32\bjamjdlf.ini

C:\WINDOWS\system32\ebinhtqq.ini

C:\WINDOWS\system32\ewwwmusa.ini

C:\WINDOWS\system32\fbvvjeng.dll

C:\WINDOWS\system32\fccbXnOG.dll

C:\WINDOWS\system32\fedbospk.exe

C:\WINDOWS\system32\geBUoPjk.dll

C:\WINDOWS\system32\igwirdja.ini

C:\WINDOWS\system32\jaiimknx.exe

C:\WINDOWS\system32\jeiomxnf.dll

C:\WINDOWS\system32\jkkIBQhi.dll

C:\WINDOWS\system32\kgeglglc.dll

C:\WINDOWS\system32\kjPoUBeg.ini

C:\WINDOWS\system32\kjPoUBeg.ini2

C:\WINDOWS\system32\mbnknmai.exe

C:\WINDOWS\system32\oloarmtq.exe

C:\WINDOWS\system32\pmraddus.dll

C:\WINDOWS\system32\qcboxaox.ini

C:\WINDOWS\system32\qqthnibe.dll

C:\WINDOWS\system32\rpsrypsf.dll

C:\WINDOWS\system32\ulsfagfh.ini

C:\WINDOWS\system32\vtUkkkhE.dll

C:\WINDOWS\system32\wvUnMfed.dll

C:\WINDOWS\system32\wxamqsgh.dll

C:\WINDOWS\system32\xoaxobcq.dll

C:\WINDOWS\system32\yaywvwwV.dll

C:\WINDOWS\system32\yldsaymd.exe

C:\WINDOWS\system32\yoiyennq.ini

 

.

((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))

.

 

2008-08-20 11:05 . 2008-08-20 11:05 580,096 --a------ C:\WINDOWS\system32\dllcache\user32.dll

2008-08-20 11:00 . 2008-08-20 11:00 <DIR> d-------- C:\WINDOWS\ERUNT

2008-08-20 10:41 . 2008-08-20 10:41 58,116 --a------ C:\WINDOWS\system32\raehnxsg.dll

2008-08-18 18:35 . 2008-08-18 18:35 128 --a------ C:\Documents and Settings\Marek\index.exe

2008-08-18 18:26 . 2008-08-18 18:26 355 --a------ C:\964.bat

2008-08-16 21:33 . 2008-08-16 21:33 <DIR> d-------- C:\Program Files\Lavasoft

2008-08-13 21:45 . 2008-08-13 21:45 77 --a------ C:\Documents and Settings\Marek\6828.bat

2008-08-10 18:14 . 2008-08-10 18:14 <DIR> d-------- C:\WINDOWS\system32\pl

2008-08-10 18:14 . 2008-08-10 18:14 <DIR> d-------- C:\WINDOWS\system32\bits

2008-08-10 18:14 . 2008-08-10 18:14 <DIR> d-------- C:\WINDOWS\l2schemas

2008-08-10 18:11 . 2008-08-10 18:14 <DIR> d-------- C:\WINDOWS\ServicePackFiles

2008-08-10 18:01 . 2008-08-10 18:01 <DIR> d-------- C:\WINDOWS\EHome

2008-08-08 12:03 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys

2008-08-08 12:03 . 2004-08-03 22:41 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys

2008-08-08 12:03 . 2004-08-03 22:41 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys

2008-08-08 12:03 . 2004-07-17 22:55 129,045 --------- C:\WINDOWS\system32\drivers\cxthsfs2.cty

2008-08-08 12:03 . 2004-08-03 22:41 11,868 --------- C:\WINDOWS\system32\drivers\mdmxsdk.sys

2008-07-31 16:01 . 2008-07-31 16:02 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-20 11:59 --------- d-----w C:\Program Files\Eraser

2008-08-16 19:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-08-15 19:10 --------- d-----w C:\Program Files\Odkurzacz

2008-08-14 08:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy

2008-08-14 08:33 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy

2008-08-08 08:32 --------- d-----w C:\Program Files\Google

2008-07-31 14:04 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys

2008-07-31 14:03 15,648 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys

2008-07-31 14:03 12,960 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys

2008-07-31 14:03 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe

2008-07-25 14:17 --------- d-----w C:\Program Files\Cossacks

2008-07-15 20:34 --------- d-----w C:\Program Files\IrfanView

2008-07-14 19:42 --------- d-----w C:\Program Files\AutoMapa EU

2008-07-12 10:16 --------- d-----w C:\Documents and Settings\Marek\Dane aplikacji\Skype

2008-07-11 15:26 --------- d-----w C:\Program Files\Java

2008-07-04 10:27 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab

2008-06-20 17:48 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 17:48 246,784 ------w C:\WINDOWS\system32\dllcache\mswsock.dll

2008-06-20 17:48 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys

2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys

2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys

2008-06-14 17:36 273,024 ------w C:\WINDOWS\system32\dllcache\bthport.sys

2004-07-22 08:51 3,432,656 -c--a-w C:\Program Files\ManagedDX.CAB

2004-07-19 20:58 1,156,363 -c--a-w C:\Program Files\BDANT.cab

2004-07-19 20:53 976,020 -c--a-w C:\Program Files\BDAXP.cab

2004-07-16 12:30 3,858 -c--a-w C:\Program Files\directx redist.txt

2004-07-09 12:17 13,265,040 -c--a-w C:\Program Files\dxnt.cab

2004-07-09 07:13 703,080 -c--a-w C:\Program Files\BDA.cab

2004-07-09 07:13 15,493,481 -c--a-w C:\Program Files\DirectX.cab

2004-07-09 02:08 472,576 -c--a-w C:\Program Files\dxsetup.exe

2004-07-09 02:08 2,242,560 -c--a-w C:\Program Files\dsetup32.dll

2004-07-09 01:03 62,976 -c--a-w C:\Program Files\DSETUP.dll

2003-08-05 12:25 194 -c--a-w C:\Program Files\EraserSetup.asc

2003-08-05 12:24 2,833,921 -c--a-w C:\Program Files\EraserSetup.exe

2003-08-05 12:23 4,600 -c--a-w C:\Program Files\History.txt

2003-07-25 08:33 6,159 -c--a-w C:\Program Files\README.txt

2002-01-07 03:30 18,351 -c--a-w C:\Program Files\COPYING.txt

.

 

((((((((((((((((((((((((((((( snapshot@2008-08-20_10.51.17.45 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-07-27 22:36:28 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE

+ 2008-08-20 09:01:13 6,840,320 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT

+ 2008-08-20 09:01:13 163,840 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat

+ 2008-07-27 22:36:28 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE

+ 2008-08-20 09:00:46 6,840,320 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT

+ 2008-08-20 09:00:47 163,840 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat

- 2008-08-20 08:39:51 53,098 ----a-w C:\WINDOWS\system32\perfc009.dat

+ 2008-08-20 11:54:14 53,098 ----a-w C:\WINDOWS\system32\perfc009.dat

- 2008-08-20 08:39:51 67,496 ----a-w C:\WINDOWS\system32\perfc015.dat

+ 2008-08-20 11:54:14 67,496 ----a-w C:\WINDOWS\system32\perfc015.dat

- 2008-08-20 08:39:51 380,684 ----a-w C:\WINDOWS\system32\perfh009.dat

+ 2008-08-20 11:54:14 380,684 ----a-w C:\WINDOWS\system32\perfh009.dat

- 2008-08-20 08:39:51 436,560 ----a-w C:\WINDOWS\system32\perfh015.dat

+ 2008-08-20 11:54:14 436,560 ----a-w C:\WINDOWS\system32\perfh015.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Eraser"="C:\Program Files\Eraser\eraser.exe" [2003-07-25 11:15 536576]

"H/PC Connection Agent"="D:\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 15:57 1289000]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 16:18 94208]

"Odkurzacz-MCD"="C:\Program Files\Odkurzacz\odk_mcd.exe" [2008-03-03 15:44 266240]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 19:21 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

"ABRegmon"="C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe" [2007-07-12 10:40 303104]

"ArcaCheck"="C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe" [2007-07-27 13:57 836912]

"AvMenu"="C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe" [2008-01-29 16:12 481800]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]

"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 01:06 487424]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 19:21 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]

2004-11-10 02:19 38912 C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TS_LogonListener]

2007-01-12 16:41 101376 C:\WINDOWS\system32\TS_LogonListener.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.divxa32"= DivXa32.acm

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geBUoPjk

 

[HKLM\~\startupfolder\C:^Documents and Settings^Marek^Menu Start^Programy^Autostart^Registration Heroes of Might & Magic 5 - Hammers of Fate.LNK]

path=C:\Documents and Settings\Marek\Menu Start\Programy\Autostart\Registration Heroes of Might & Magic 5 - Hammers of Fate.LNK

backup=C:\WINDOWS\pss\Registration Heroes of Might & Magic 5 - Hammers of Fate.LNKStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Marek^Menu Start^Programy^Autostart^Registration Heroes of Might & Magic 5.LNK]

path=C:\Documents and Settings\Marek\Menu Start\Programy\Autostart\Registration Heroes of Might & Magic 5.LNK

backup=C:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

--a--c--- 2005-01-19 21:40 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

--a--c--- 2004-09-23 12:41 860160 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

--a--c--- 2004-10-14 09:11 1388544 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a--c--- 2006-04-13 01:57 36972 C:\Program Files\Java\jre1.5.0\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]

--a--c--- 2004-12-08 18:44 184320 C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\U.S. Robotics\\EasyConfigurator\\EasyConfigurator.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"D:\\Gry Filipa\\Age of Empires III\\age3x.exe"=

"D:\Microsoft ActiveSync\rapimgr.exe"= D:\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"D:\Microsoft ActiveSync\wcescomm.exe"= D:\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"D:\Microsoft ActiveSync\WCESMgr.exe"= D:\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"D:\\Gry Filipa\\Bitwa\\game.dat"=

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

 

R1 ABTDI;ABTDI;C:\Program Files\ArcaBit\ArcaVir\ABTDI.sys [2007-05-08 14:45]

R2 ABFileMon;ArcaBit FileMonitor;C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe [2007-10-10 07:55]

R2 ArcaBit.TaskScheduler;ArcaBit.TaskScheduler;C:\Program Files\ArcaBit\Common\TaskScheduler.exe [2007-01-12 16:42]

R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2008-04-14 19:21]

R2 AVUpdate;ArcaBit Update Service;C:\Program Files\ArcaBit\ArcaUpdate\update.exe [2007-02-26 16:04]

R3 ABFLT;ArcaBit File Monitor Driver;C:\PROGRA~1\ArcaBit\ArcaVir\ABFLT.sys [2007-09-12 14:37]

R3 ArcaBit.Core.Configurator;ArcaBit.Core.Configurator;C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe [2007-01-11 16:01]

R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 18:26]

S2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe []

S3 ArcaBit.Core.LoggingService;ArcaBit.Core.LoggingService;C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe [2007-01-11 16:03]

S3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2004-09-02 14:30]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Cognizance REG_MULTI_SZ ASChannel

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f0ccbe4-cc45-11dc-be73-001560c6ebd0}]

\Shell\Auto\command - H:\Start.exe

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.

- - - - ORPHANS REMOVED - - - -

 

HKLM-Run-22263961 - C:\WINDOWS\system32\qqthnibe.dll

HKLM-Run-BM21150afd - C:\WINDOWS\system32\rpsrypsf.dll

 

 

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Marek\Dane aplikacji\Mozilla\Firefox\Profiles\pvxbszwy.default\

FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.onet.pl/

FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\browser\nppdf32.dll

FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPSignPlugin.dll

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-20 14:01:10

Windows 5.1.2600 Dodatek Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\ati2evxx.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\ati2evxx.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\scardsvr.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\wdfmgr.exe

D:\MICROS~1\rapimgr.exe

C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

C:\WINDOWS\system32\wbem\wmiadap.exe

C:\WINDOWS\SoftwareDistribution\Download\ca2bf2210677be3ed1abd5bd174589a4\update\update.exe

.

**************************************************************************

.

Completion time: 2008-08-20 14:05:30 - machine was rebooted

ComboFix-quarantined-files.txt 2008-08-20 12:05:20

ComboFix2.txt 2008-08-20 08:52:32

 

Pre-Run: 1,642,041,344 bajtów wolnych

Post-Run: 1,589,583,872 bajt˘w wolnych

 

260 --- E O F --- 2008-08-10 21:07:39

 

[Kolobos]

CFScript.txt:

 

File::

C:\WINDOWS\system32\raehnxsg.dll

C:\Documents and Settings\Marek\index.exe

C:\964.bat

C:\Documents and Settings\Marek\6828.bat

 

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f0ccbe4-cc45-11dc-be73-001560c6ebd0}]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00