Trojan-spy.win32.keylogger.aa

s3in · 27 Sierpnia 2008

Mam problem z wirusem - trojan-spy.win32.keylogger.aa, nie mogę go niczym usunąć (avast, nod32, s&d, ad-aware) Jakieś rozwiązania?

Kolobos · 27 Sierpnia 2008

W jakim pliku i gdzie ten plik sie dokladnie znajduje?

Daj log z combofix.

s3in · 30 Sierpnia 2008

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Log z combofix."

ComboFix 08-08-29.02 - ola 2008-08-30 12:39:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.113 [GMT 2:00]
Running from: C:\Documents and Settings\ola\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\akttzn.exe
C:\WINDOWS\system32\anticipator.dll
C:\WINDOWS\system32\awtoolb.dll
C:\WINDOWS\system32\bdn.com
C:\WINDOWS\system32\dpcproxy.exe
C:\WINDOWS\system32\hoproxy.dll
C:\WINDOWS\system32\hxiwlgpm.dat
C:\WINDOWS\system32\hxiwlgpm.exe
C:\WINDOWS\system32\msgp.exe
C:\WINDOWS\system32\mssecu.exe
C:\WINDOWS\system32\mtr2.exe
C:\WINDOWS\system32\mwin32.exe
C:\WINDOWS\system32\netode.exe
C:\WINDOWS\system32\newsd32.exe
C:\WINDOWS\system32\ps1.exe
C:\WINDOWS\system32\psoft1.exe
C:\WINDOWS\system32\regm64.dll
C:\WINDOWS\system32\Rundl1.exe
C:\WINDOWS\system32\smp
C:\WINDOWS\system32\smp\msrc.exe
C:\WINDOWS\system32\ssvchost.exe
C:\WINDOWS\system32\sysreq.exe
C:\WINDOWS\system32\taack.dat
C:\WINDOWS\system32\taack.exe
C:\WINDOWS\system32\temp#01.exe
C:\WINDOWS\system32\VBIEWER.OCX
C:\WINDOWS\system32\winlogonpc.exe
C:\WINDOWS\system32\winsystem.exe
C:\WINDOWS\system32\WINWGPX.EXE
C:\WINDOWS\system32\xd.txt

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 )))))))))))))))))))))))))))))))
.

2008-08-30 12:07 . 2008-08-30 12:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-29 18:25 . 2008-08-29 18:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-29 18:25 . 2008-08-29 18:25 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-27 13:34 . 2008-08-30 12:43 <DIR> d-a------ C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-08-27 13:33 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-27 13:33 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-27 13:33 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-27 13:33 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-08-27 13:32 . 2008-08-29 11:08 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-27 13:32 . 2008-08-27 13:32 <DIR> d-------- C:\Documents and Settings\ola\Dane aplikacji\PC Tools
2008-08-27 10:56 . 2008-08-27 11:17 <DIR> d-------- C:\Program Files\SkanerOnline
2008-08-27 00:13 . 2008-08-30 12:31 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-08-26 23:20 . 2008-08-26 23:20 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-26 23:20 . 2008-08-26 23:26 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-08-26 23:16 . 2008-08-26 23:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-26 20:04 . 2008-08-26 20:04 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-26 19:53 . 2008-08-26 19:53 0 --ah----- C:\WINDOWS\.security
2008-08-26 19:53 . 2008-08-26 19:53 0 --ah----- C:\.security
2008-08-25 20:48 . 2008-08-25 20:48 126 --a------ C:\Documents and Settings\ola\delself.bat
2008-08-25 19:07 . 2008-08-25 19:07 <DIR> d-------- C:\Program Files\ugltkzd
2008-08-25 19:07 . 2008-08-27 10:37 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\vypgjuny
2008-08-25 19:07 . 2008-08-25 19:07 90,112 --a------ C:\WINDOWS\system32\bqjsjina.exe
2008-07-09 19:37 . 2008-08-27 11:40 <DIR> d-------- C:\Downloads
2008-07-09 19:37 . 2008-07-09 19:37 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-30 10:33 --------- d-----w C:\Program Files\Eset
2008-08-30 10:13 --------- d-----w C:\Documents and Settings\ola\Dane aplikacji\Skype
2008-08-28 12:07 --------- d-----w C:\Documents and Settings\ola\Dane aplikacji\Tlen.pl
2008-08-27 08:44 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-23 18:39 4,766 ----a-w C:\Program Files\INSTALL.LOG
2008-03-05 15:30 97,288 ----a-w C:\Documents and Settings\DirectX 9.0\DSETUP.dll
2008-03-05 15:30 527,880 ----a-w C:\Documents and Settings\DirectX 9.0\DXSETUP.exe
2008-03-05 15:30 1,694,728 ----a-w C:\Documents and Settings\DirectX 9.0\dsetup32.dll
1998-04-30 13:56 129,024 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-29 00:00 13312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-30 21:39 68856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-30 14:47 25366056]
"infodbsrv"="C:\WINDOWS\system32\bqjsjina.exe" [2008-08-25 19:07 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51 233472]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-11-08 03:45 188416]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-07-16 09:16 1166216]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 06:42 577536 C:\WINDOWS\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-29 00:00 13312]

C:\Documents and Settings\ola\Menu Start\Programy\Autostart\
.security [2008-08-26 19:53:13 0]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
.security [2008-08-26 19:53:13 0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"setsys"= {40D0A797-9377-16BF-EA0C-03F8091657A9} - C:\Program Files\ugltkzd\setsys.dll [2008-08-25 19:07 131072]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Osv71.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\explorer.exe"=

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
HKLM-Run-WinampAgent - C:\Program Files\Winamp\winampa.exe
HKLM-Run-NBKeyScan - C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
Notify-lstream - lstream.dll

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\ola\Dane aplikacji\Mozilla\Firefox\Profiles\arpur1w1.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.pl/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-30 12:43:13
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-30 12:49:07
ComboFix-quarantined-files.txt 2008-08-30 10:49:02

Pre-Run: 4,111,122,432 bajtów wolnych
Post-Run: 4,172,685,312 bajtów wolnych

144

Edytowane 30 Sierpnia 2008 przez Kolobos

Kolobos · 30 Sierpnia 2008

Utworz na pulpicie plik CFScript.txt:

Driver::

Osv71.sys

Folder::

C:\Program Files\ugltkzd\

C:\Documents and Settings\All Users\Dane aplikacji\vypgjuny

File::

C:\WINDOWS\.security

C:\.security

"C:\Documents and Settings\ola\Menu Start\Programy\Autostart\.security"

"C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\.security"

C:\WINDOWS\system32\bqjsjina.exe

C:\Documents and Settings\ola\delself.bat

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"setsys"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"infodbsrv"=-

Zapisz i przeciagnij go na ikone combofix.

ToMaSs1986 · 4 Września 2008

Mam podobny problem jak możecie to pomóżcie wstawiam loga z Hijcacka mam Combofixa i co muszę zrobić żeby nei mieć tego badziewia:(:/?? Jestem tu nowy jakbym zrobił coś żle to poprawcie i przepraszam. Czekam na jakąś pomoc 8O

Log z ComboFixa

Log z Hijacka

Jeszcze raz sory, że nie dokładnie zrobiłem. Mam nadzieję że teraz jest ok

Edytowane 4 Września 2008 przez ToMaSs1986

Kolobos · 4 Września 2008

Uzyj "Edytuj" i daj log z combofix zamiast dwa razy hijackthis oba maja byc w spoilerze lub wklejasz na http://wklej.org i podajes linki do logow.

Edytowane 25 Lutego 2009 przez Kolobos

Kolobos · 5 Września 2008

Utworz na pulpicie plik CFScript.txt i wklej do niego:

Folder::

C:\Documents and Settings\All Users\Dane aplikacji\ujozwfaj\

C:\temp

C:\Program Files\PC-Antispy

C:\Program Files\PC Clean Pro

File::

C:\WINDOWS\system32\orshahsh.exe

C:\WINDOWS\.security

C:\.security

C:\WINDOWS\system32\msxml71.dll

C:\WINDOWS\system32\ujmfgded.exe

C:\Documents and Settings\x\Menu Start\Programy\Autostart\.security

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\.security

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"shutil"=-

"smartgen"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"lphc9dwj0egbl"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

"1LYe1KkX6N"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03b1f2ca-cccf-11dc-a2ed-001a4df44a78}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97392ace-cb59-11dc-a2ea-001a4df44a78}]

Zapisz go i przeciagnij na ikone combofix.exe

Po uzyciu daj nowy log z combofix. Uzyj tez Flash Disinfector.

ToMaSs1986 · 5 Września 2008

Witam ponownie wstawiłem do Combo. Niestesty teraz wirusy mi zaczęły strony blokować. wstawiam Log z Combo po zmianie. Pozdrawiam

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "ComboFix 08-09-04.09 - x 2008-09-05 15:37:06.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.1499 [GMT 2:00

Running from: C:\Documents and Settings\x\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\x\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\.security

C:\Documents and Settings\All Users\Dane aplikacji\ujozwfaj\

C:\Documents and Settings\All Users\Dane aplikacji\ujozwfaj\\crilkhuf.exe

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\.security

C:\Documents and Settings\x\Cookies\x@tradedoubler[1].txt

C:\Documents and Settings\x\Menu Start\Programy\Autostart\.security

C:\Program Files\PC-Antispy

C:\Program Files\PC-Antispy\ASpyStBlk.dll

C:\Program Files\PC Clean Pro

C:\Program Files\PC Clean Pro\com\pcprosd.dll

C:\Program Files\PC Clean Pro\Uninstall.exe

C:\temp

C:\temp\{871ce3c5-6e97-3363-a174-3208198ce6fd}\chrome.manifest

C:\temp\{871ce3c5-6e97-3363-a174-3208198ce6fd}\chrome\su.jar

C:\temp\{871ce3c5-6e97-3363-a174-3208198ce6fd}\install.rdf

C:\temp\{871ce3c5-6e97-3363-a174-3208198ce6fd}\su.reg

C:\WINDOWS\.security

C:\WINDOWS\system32\msxml71.dll

C:\WINDOWS\system32\orshahsh.exe

C:\WINDOWS\system32\ujmfgded.exe

.

((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))

.

2008-09-04 13:37 . 2008-09-04 13:37 90,112 --a------ C:\WINDOWS\system32\jgzynqre.exe

2008-09-04 12:18 . 2008-09-04 12:18 <DIR> d-------- C:\Program Files\HakerzyNET AntiVirus

2008-09-04 11:55 . 2008-09-04 11:55 <DIR> d-------- C:\Program Files\Trend Micro

2008-09-04 02:26 . 2008-09-04 02:26 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files

2008-09-04 02:25 . 2008-09-04 02:25 <DIR> d-------- C:\Program Files\Panda Security

2008-09-04 02:25 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys

2008-09-04 02:19 . 2008-09-04 03:55 <DIR> d-------- C:\Program Files\MS Antivirus

2008-09-04 02:00 . 2008-09-04 04:00 <DIR> d-------- C:\Program Files\SAV

2008-09-03 19:02 . 2008-09-04 01:53 <DIR> d-------- C:\Program Files\Radio Decoder

2008-09-02 22:24 . 2008-09-02 22:24 11 -ra------ C:\WINDOWS\amunres.lsl

2008-08-29 17:43 . 2008-08-29 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Go Go Gourmet

2008-08-29 17:42 . 2008-08-29 17:42 <DIR> d-------- C:\Program Files\Gamenext

2008-08-29 17:42 . 2008-08-29 17:42 <DIR> d-------- C:\Program Files\Common Files\Oberon Media

2008-08-16 11:36 . 2008-08-16 11:36 <DIR> d-------- C:\Program Files\AVG

2008-08-16 11:36 . 2008-09-04 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\avg8

2008-08-16 10:58 . 2008-08-16 12:38 <DIR> d-------- C:\WINDOWS\system32\NtmsData

2008-08-16 10:30 . 2008-08-16 10:30 <DIR> d-------- C:\Documents and Settings\LocalService\Pulpit

2008-08-16 10:24 . 2008-08-16 10:24 <DIR> d-------- C:\WINDOWS\system32\pl

2008-08-16 10:24 . 2008-08-16 10:24 <DIR> d-------- C:\WINDOWS\system32\bits

2008-08-16 10:24 . 2008-08-16 10:24 <DIR> d-------- C:\WINDOWS\l2schemas

2008-08-16 10:22 . 2008-08-16 10:24 <DIR> d-------- C:\WINDOWS\ServicePackFiles

2008-08-14 05:18 . 2008-04-11 21:06 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll

2008-08-13 14:14 . 2008-08-13 14:14 <DIR> d-------- C:\Program Files\Cake Mania

2008-08-13 14:14 . 2008-08-13 14:14 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Sandlot Games

2008-08-13 14:13 . 2008-08-13 14:13 <DIR> d-------- C:\Program Files\ReflexiveArcade

2008-08-07 23:23 . 2008-08-07 23:23 <DIR> d-------- C:\Program Files\Lonely Cat Games

2008-08-07 19:48 . 2008-09-04 13:51 <DIR> d-------- C:\Program Files\SkanerOnline

2008-08-07 19:22 . 2008-08-07 19:24 <DIR> d-------- C:\Program Files\Valve

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-05 13:37 --------- d-----w C:\Documents and Settings\x\Dane aplikacji\Skype

2008-09-05 12:48 57,344 ----a-w C:\WINDOWS\system32\userinit.exe

2008-09-05 12:48 --------- d-----w C:\Documents and Settings\x\Dane aplikacji\skypePM

2008-09-04 13:11 196,608 ----a-w C:\WINDOWS\system32\drivers\nStandard.bin

2008-09-03 23:53 720,896 ----a-w C:\WINDOWS\iun6002.exe

2008-09-02 20:28 --------- d-----w C:\Program Files\Zylom Games

2008-09-02 20:26 --------- d-----w C:\Program Files\Hotel dla zwierzaków

2008-08-29 16:43 --------- d---a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP

2008-08-21 19:44 --------- d-----w C:\Documents and Settings\x\Dane aplikacji\Zylom

2008-08-16 11:29 --------- d-----w C:\Program Files\Bonjour

2008-08-16 08:33 --------- d-----w C:\Program Files\Windows Media Connect 2

2008-08-07 17:22 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-07-16 19:19 --------- d-----w C:\Documents and Settings\x\Dane aplikacji\Nokia

2008-07-16 17:55 --------- d-----w C:\Documents and Settings\x\Dane aplikacji\Datalayer

2008-07-16 17:51 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2008-07-16 17:51 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf

2008-07-07 20:29 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-06-24 16:46 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-23 16:42 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-06-20 17:48 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll

.

------- Sigcheck -------

2004-08-04 00:44 25088 bd768099b4c44aa631728cb74eb54396 C:\WINDOWS\$NtServicePackUninstall$\userinit.exe

2008-04-14 19:21 26624 2a5b37d520508be6570a3ea79695f5b5 C:\WINDOWS\ServicePackFiles\i386\userinit.exe

2008-09-05 14:48 57344 b5bfcf3c4dfe120d2bb0f9736a17c065 C:\WINDOWS\system32\userinit.exe

.

((((((((((((((((((((((((((((( snapshot@2008-08-30_10.35.20.54 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-06-30 08:39:58 128,256 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll

+ 2008-04-14 17:21:45 26,624 ----a-w C:\WINDOWS\system32\init32.exe

+ 2008-09-05 12:47:34 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_630.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]

"Gadu-Gadu"="C:\Documents and Settings\x\Pulpit\Gadu-Gadu\gg.exe" [2004-09-28 774144]

"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 222080]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-13 68856]

"Creative Live! Cam Manager"="C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2007-06-07 155648]

"CreativeTaskScheduler"="C:\Program Files\Creative\Shared Files\CTSched.exe" [2006-11-17 53341]

"Skype"="C:\Documents and Settings\x\Pulpit\Phone\Skype.exe" [2008-05-30 21718312]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

"ProcDbUi"="C:\WINDOWS\system32\jgzynqre.exe" [2008-09-04 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ASUSGamerOSD"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-12 380928]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-19 185896]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 413696]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"V0420Mon.exe"="C:\WINDOWS\V0420Mon.exe" [2007-04-30 32768]

"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 229376]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 8466432]

"SkyTel"="SkyTel.EXE" [2006-05-16 C:\WINDOWS\SkyTel.exe]

"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 C:\WINDOWS\RTHDCPL.EXE]

"nwiz"="nwiz.exe" [2007-06-28 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.iac2"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iac25_32.ax

"msacm.sl_anet"= C:\PROGRA~1\ACEMEG~1\SystemS\sl_anet.acm

"vidc.yv12"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL

"vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll

"msacm.msaudio1"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2008-04-14 19:21 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2007-06-28 18:43 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-06-28 18:43 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]

--a------ 2003-03-25 05:49 106544 C:\WINDOWS\system32\tweakui.cpl

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Documents and Settings\\x\\Pulpit\\Gadu-Gadu\\gg.exe"=

"C:\\Program Files\\BitComet\\BitComet.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\SopCast\\SopCast.exe"=

"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"C:\\Program Files\\SopCast\\sopvod.exe"=

"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"C:\\Program Files\\ASUS\\GamerOSD\\SBS.exe"=

"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\Valve\\hl.exe"=

"C:\\Program Files\\SightSpeed\\SightSpeed.exe"=

"C:\\Documents and Settings\\x\\Pulpit\\Phone\\Skype.exe"=

"C:\\Documents and Settings\\All Users\\Dane aplikacji\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\Polish\\setup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10330:TCP"= 10330:TCP:BitComet 10330 TCP

"10330:UDP"= 10330:UDP:BitComet 10330 UDP

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]

R0 pe3aq44b;Hotel dla zwierzakow Environment Driver (pe3aq44b);C:\WINDOWS\system32\drivers\pe3aq44b.sys [2008-03-17 69256]

R0 pf2aq44b;Hotel dla zwierzakow File System Driver (pf2aq44b);C:\WINDOWS\system32\drivers\pf2aq44b.sys [2008-03-17 83592]

R0 ps7aq44b;Hotel dla zwierzakow Synchronization Driver (ps7aq44b);C:\WINDOWS\system32\drivers\ps7aq44b.sys [2008-03-17 68752]

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]

R3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-07-12 12416]

R3 V0420VID;Live! Cam Vista IM (VF0420);C:\WINDOWS\system32\DRIVERS\V0420Vid.sys [2007-05-31 99648]

R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2007-07-12 10752]

S4 pr2aq44b;Hotel dla zwierzakow Drivers Auto Removal (pr2aq44b);C:\WINDOWS\system32\pr2aq44b.exe svc [ ]

*Newly Created Service* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AVG8_TRAY - C:\PROGRA~1\AVG\AVG8\avgtray.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-05 15:39:01

Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-09-05 15:40:01

ComboFix-quarantined-files.txt 2008-09-05 13:39:48

ComboFix2.txt 2008-09-04 08:15:04

ComboFix3.txt 2008-09-04 08:06:23

ComboFix4.txt 2008-08-30 08:36:36

Pre-Run: 84,706,402,304 bajtów wolnych

Post-Run: 84,756,033,536 bajtów wolnych

202 --- E O F --- 2008-08-17 10:44:09

"]ComboFix 08-09-04.09 - x 2008-09-05 15:37:06.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.1499 [GMT 2:00]