SDFix SDFix: Version 1.119 Run by Endrju on 2007-12-22 at 18:47 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Name: FCI ntio256 Path: C:\WINDOWS\System32\svchost.exe:ext.exe ??\C:\WINDOWS\System32\ntio256.sys FCI - Deleted ntio256 - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:-10654~1 - Deleted C:\Program Files\Helper\superfinderusa.dll - Deleted C:\WINDOWS\system32\2_exception.nls - Deleted C:\WINDOWS\system32\adult.txt - Deleted C:\WINDOWS\system32\finance.txt - Deleted C:\WINDOWS\system32\i - Deleted C:\WINDOWS\system32\lt.res - Deleted C:\WINDOWS\system32\other.txt - Deleted C:\WINDOWS\system32\pharma.txt - Deleted C:\WINDOWS\system32\sft.res - Deleted C:\WINDOWS\system32\xpdx.sys - Deleted Folder C:\Program Files\Helper - Removed Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-22 18:53:55 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg$winnt32$_test] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40] “khjeh”=hex:20,02,00,00,36,f4,17,69,a0,d2,19,c6,12,c8,b1,6a,1a,b8,78,c6,16,… “hj34z0”=hex:f6,0b,a9,e8,ad,94,a7,1e,5d,e4,6f,b2,82,3f,b8,59,42,a6,8d,a4,3d,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fsc47] “Type”=dword:00000001 “Tag”=dword:00000001 “Group”=“System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0” “ErrorControl”=dword:00000001 “Start”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:2df9c43f “s2”=dword:110480d0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Fsc47] “Type”=dword:00000001 “Tag”=dword:00000001 “Group”=“System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0” “ErrorControl”=dword:00000001 “Start”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … C:\WINDOWS\system32\drivers\Fsc47.sys 137216 bytes executable C:\WINDOWS\system32\drivers\symavc32.sys 185856 bytes executable scan completed successfully hidden processes: 0 hidden services: 1 hidden files: 2 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “C:\Program Files\BitComet\BitComet.exe”=“C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client” “C:\Program Files\Ocean Technology\GG E-Sports Platform\GGclient.exe”=“C:\Program Files\Ocean Technology\GG E-Sports Platform\GGclient.exe:*:Enabled:GG E-Sports Platform Client” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Tue 18 Dec 2007 194 A.SH. — “C:\BOOT.BAK” Fri 7 Dec 2007 65,115 …SH. — “C:\WINDOWS\system32\srvd.exe” Finished! -------------------------------------------------------------ComboFix ComboFix 07-12-21.4 - Endrju 2007-12-22 18:58:40.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.156 [GMT 1:00] Running from: C:\Documents and Settings\Endrju\Pulpit\ComboFix(2).exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\akl C:\Program Files\akl\akl.dll C:\Program Files\akl\akl.exe C:\Program Files\akl\curlog.htm C:\Program Files\akl\keylog.txt C:\Program Files\akl\readme.txt C:\Program Files\akl\uninstall.exe C:\Program Files\akl\unsetup.dat C:\Program Files\akl\unsetup.exe C:\Program Files\amsys C:\Program Files\amsys\awmsg.dat C:\Program Files\amsys\guid.dat C:\Program Files\amsys\ijl15.dll C:\Program Files\amsys\mfc42.dll C:\Program Files\amsys\msvcrt.dll C:\Program Files\amsys\unins000.dat C:\Program Files\amsys\unis000.exe C:\Program Files\amsys\winam.dat C:\Program Files\e-zshopper C:\Program Files\e-zshopper\BarLcher.dll C:\Program Files\p2pnetworks C:\Program Files\p2pnetworks\amp2pl.exe C:\WINDOWS\764.exe C:\WINDOWS\7search.dll C:\WINDOWS\absolute key logger.lnk C:\WINDOWS\aconti.exe C:\WINDOWS\aconti.ini C:\WINDOWS\aconti.log C:\WINDOWS\aconti.sdb C:\WINDOWS\acontidialer.txt C:\WINDOWS\adbar.dll C:\WINDOWS\cbinst$.exe C:\WINDOWS\daxtime.dll C:\WINDOWS\default.htm C:\WINDOWS\dp0.dll C:\WINDOWS\eventlowg.dll C:\WINDOWS\fhfmm-Uninstaller.exe C:\WINDOWS\fhfmm.exe C:\WINDOWS\flt.dll C:\WINDOWS\hcwprn.exe C:\WINDOWS\hotporn.exe C:\WINDOWS\ie_32.exe C:\WINDOWS\jd2002.dll C:\WINDOWS\kkcomp$.exe C:\WINDOWS\kkcomp.exe C:\WINDOWS\kvnab$.exe C:\WINDOWS\liqad$.exe C:\WINDOWS\liqad.exe C:\WINDOWS\liqui-Uninstaller.exe C:\WINDOWS\liqui.exe C:\WINDOWS\ngd.dll C:\WINDOWS\pbar.dll C:\WINDOWS\settn.dll C:\WINDOWS\spredirect.dll C:\WINDOWS\system32\6_exception.nls C:\WINDOWS\system32\ace16win.dll C:\WINDOWS\system32\acespy C:\WINDOWS\system32\acespy__acelog.ndx C:\WINDOWS\system32\acespy\systune.exe C:\WINDOWS\system32\din.ip C:\WINDOWS\system32\dpqaqlqx.bin C:\WINDOWS\system32\drivers\blank.gif C:\WINDOWS\system32\drivers\box_2.gif C:\WINDOWS\system32\drivers\button_buynow.gif C:\WINDOWS\system32\drivers\button_freescan.gif C:\WINDOWS\system32\drivers\cell_bg.gif C:\WINDOWS\system32\drivers\cell_footer.gif C:\WINDOWS\system32\drivers\cell_header_block.gif C:\WINDOWS\system32\drivers\cell_header_remove.gif C:\WINDOWS\system32\drivers\cell_header_scan.gif C:\WINDOWS\system32\drivers\detect.htm C:\WINDOWS\system32\drivers\download_btn.jpg C:\WINDOWS\system32\drivers\download_now_btn.gif C:\WINDOWS\system32\drivers\footer_back.jpg C:\WINDOWS\system32\drivers\FSC47.sys C:\WINDOWS\system32\drivers\header_1.gif C:\WINDOWS\system32\drivers\header_2.gif C:\WINDOWS\system32\drivers\header_3.gif C:\WINDOWS\system32\drivers\header_4.gif C:\WINDOWS\system32\drivers\header_red_bg.gif C:\WINDOWS\system32\drivers\header_red_free_scan.gif C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif C:\WINDOWS\system32\drivers\infected.gif C:\WINDOWS\system32\drivers\main_back.gif C:\WINDOWS\system32\drivers\product_2_header.gif C:\WINDOWS\system32\drivers\product_2_name_small.gif C:\WINDOWS\system32\drivers\product_features.gif C:\WINDOWS\system32\drivers\pt.htm C:\WINDOWS\system32\drivers\rating.gif C:\WINDOWS\system32\drivers\Rgm33.sys C:\WINDOWS\system32\drivers\s_detect.htm C:\WINDOWS\system32\drivers\screenshot.jpg C:\WINDOWS\system32\drivers\sep_hor.gif C:\WINDOWS\system32\drivers\sep_vert.gif C:\WINDOWS\system32\drivers\shadow.jpg C:\WINDOWS\system32\drivers\shadow_bg.gif C:\WINDOWS\system32\drivers\spacer.gif C:\WINDOWS\system32\drivers\star.gif C:\WINDOWS\system32\drivers\star_gray.gif C:\WINDOWS\system32\drivers\star_gray_small.gif C:\WINDOWS\system32\drivers\star_small.gif C:\WINDOWS\system32\drivers\style.css C:\WINDOWS\system32\drivers\symavc32.sys C:\WINDOWS\system32\drivers\v.gif C:\WINDOWS\system32\drivers\warning_icon.gif C:\WINDOWS\system32\drivers\win_logo.gif C:\WINDOWS\system32\drivers\x.gif C:\WINDOWS\system32\stfv.bin C:\WINDOWS\system32\sznf.ascii C:\WINDOWS\system32\vxddsk.exe C:\WINDOWS\system32\wml.exe C:\WINDOWS\vxddsk.exe C:\WINDOWS\wbeInst$.exe C:\WINDOWS\wml.exe C:\WINDOWS\xadbrk.exe C:\WINDOWS\xadbrk_.exe C:\WINDOWS\xxxvideo.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_FSC47 -------\LEGACY_NTIO256 ((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 ))))))))))))))))))))))))))))))) . 2007-12-22 02:03 . 2007-12-22 02:03 2007-12-22 01:49 . 2007-12-22 16:38 163,872 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-12-22 01:49 . 2007-12-22 16:37 6,944 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-12-22 01:49 . 2007-12-22 01:57 1,988 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-12-22 01:49 . 2007-12-22 01:57 1,364 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2007-12-22 01:45 . 2007-12-22 01:53 2007-12-22 00:08 . 2007-12-22 00:08 2007-12-20 19:06 . 2007-12-20 19:06 2007-12-20 18:16 . 2007-12-20 18:16 2007-12-20 18:15 . 2007-12-20 18:15 316,640 --a------ C:\WINDOWS\WMSysPr9.prx 2007-12-20 18:14 . 2007-12-20 18:14 2007-12-20 18:12 . 2007-12-20 18:12 2007-12-20 17:46 . 2004-08-04 00:44 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2007-12-20 17:41 . 2007-12-20 17:41 2007-12-20 17:36 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002367_.tmp 2007-12-20 17:35 . 2004-08-03 22:43 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe 2007-12-20 17:32 . 2007-12-20 17:44 2007-12-20 15:35 . 2004-08-04 01:17 469,089 -ra------ C:\txtsetup.sif 2007-12-20 15:35 . 2004-08-03 23:00 262,400 -ra------ C:$LDR$ 2007-12-20 15:35 . 2007-12-18 23:57 194 --ahs---- C:\BOOT.BAK 2007-12-20 15:22 . 2007-12-20 15:22 2007-12-20 15:22 . 2007-12-20 15:22 2007-12-20 15:22 . 2004-08-22 16:31 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys 2007-12-20 15:22 . 2004-08-22 16:31 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys 2007-12-20 14:49 . 2007-12-20 14:49 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2007-12-20 12:30 . 2007-12-20 12:30 1,217 --a------ C:\WINDOWS\bestplayer.ini 2007-12-20 12:30 . 2007-12-20 12:30 246 --a------ C:\WINDOWS\bestplayer.bbt 2007-12-20 12:30 . 2007-12-20 12:30 116 --a------ C:\WINDOWS\bestplayer.bpp 2007-12-20 10:09 . 2007-12-20 10:09 2007-12-20 01:40 . 2007-12-20 01:40 2007-12-20 01:03 . 2007-12-20 01:03 4,608 --a------ C:\wincchw.exe 2007-12-20 01:03 . 2007-12-20 01:03 4,608 --a------ C:\winbhvd.exe 2007-12-20 01:03 . 2007-12-20 01:03 0 --a------ C:\WINDOWS\system32\MI1B.tmp 2007-12-20 01:03 . 2007-12-20 01:03 0 --a------ C:\WINDOWS\system32\MI19.tmp 2007-12-20 01:03 . 2007-12-20 01:03 0 --a------ C:\WINDOWS\system32\MI17.tmp 2007-12-20 01:03 . 2007-12-20 01:03 0 --a------ C:\WINDOWS\system32\MI15.tmp 2007-12-20 00:44 . 2007-12-22 00:08 2007-12-20 00:41 . 2007-12-20 00:41 29 --a------ C:\WINDOWS\system32\itosfgew.tmp 2007-12-20 00:15 . 2007-12-20 00:15 0 --a------ C:\WINDOWS\system32\MI11B.tmp 2007-12-20 00:13 . 2007-12-20 00:13 4,608 --a------ C:\winlxyt.exe 2007-12-20 00:13 . 2007-12-20 00:13 4,608 --a------ C:\winizce.exe 2007-12-20 00:13 . 2007-12-20 00:13 0 --a------ C:\WINDOWS\system32\MI117.tmp 2007-12-20 00:13 . 2007-12-20 00:13 0 --a------ C:\WINDOWS\system32\MI115.tmp 2007-12-20 00:00 . 2007-12-20 00:00 4,608 --a------ C:\winwcvs.exe 2007-12-20 00:00 . 2007-12-20 00:00 4,608 --a------ C:\winqqni.exe 2007-12-20 00:00 . 2007-12-20 00:00 0 --a------ C:\WINDOWS\system32\MI10F.tmp 2007-12-20 00:00 . 2007-12-20 00:00 0 --a------ C:\WINDOWS\system32\MI10D.tmp 2007-12-20 00:00 . 2007-12-20 00:00 0 --a------ C:\WINDOWS\system32\MI10B.tmp 2007-12-20 00:00 . 2007-12-20 00:00 0 --a------ C:\WINDOWS\system32\MI109.tmp 2007-12-19 23:56 . 2007-12-19 23:56 4 --a------ C:\WINDOWS\system32\jpewocmz.ini 2007-12-19 21:24 . 2007-12-19 21:26 94,208 --a------ C:\WINDOWS\ScUnin.exe 2007-12-19 21:24 . 2007-12-19 21:26 35,382 --a------ C:\WINDOWS\scunin.dat 2007-12-19 21:24 . 2007-12-19 21:26 967 --a------ C:\WINDOWS\ScUnin.pif 2007-12-19 21:23 . 2007-12-19 22:16 2007-12-19 10:16 . 2007-12-19 10:16 38 --a------ C:\WINDOWS\AviSplitter.INI 2007-12-19 03:51 . 2007-12-22 19:04 21,760 --a------ C:\WINDOWS\Bhm38.sys 2007-12-19 00:12 . 2007-12-19 00:12 2007-12-18 13:48 . 2007-12-18 13:48 2007-12-17 19:14 . 2003-02-21 03:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL 2007-12-16 09:48 . 2007-12-20 07:17 2007-12-16 09:48 . 2007-12-16 09:48 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll 2007-12-16 09:47 . 2007-12-17 15:52 2007-12-14 22:09 . 2007-12-14 22:09 2007-12-13 20:36 . 2007-12-13 20:45 24,064 --a------ C:\mlah.exe 2007-12-13 20:22 . 2007-12-13 20:46 25,600 --a------ C:\WINDOWS\system32\ronods.dll 2007-12-13 18:06 . 2007-12-13 20:37 25,600 --a------ C:\WINDOWS\system32\judgemq.dll 2007-12-13 03:50 . 2007-12-13 03:50 142,848 --a------ C:\WINDOWS\system32\MI112.tmp 2007-12-12 23:42 . 2007-12-19 00:08 21,760 --a------ C:\WINDOWS\system32\drivers\Bhm38.sys 2007-12-12 23:40 . 2007-12-13 20:45 57,856 --a------ C:\actgm.exe 2007-12-12 23:01 . 2007-12-12 23:01 2007-12-12 23:01 . 2006-03-14 02:26 53,248 --a------ C:\WINDOWS\system32\ImageOle.dll 2007-12-12 01:05 . 2007-12-12 01:05 2007-12-12 01:05 . 2006-11-22 11:00 63,488 --a------ C:\WINDOWS\system32\ff_acm.acm 2007-12-12 01:05 . 2006-11-22 11:00 8,192 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-12-12 01:05 . 2006-11-22 11:00 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest 2007-12-11 10:40 . 2007-12-11 10:41 2007-12-11 10:32 . 2007-12-11 10:32 2007-12-08 13:13 . 2007-12-08 13:13 2007-12-07 22:30 . 2007-12-22 01:19 2007-12-07 22:11 . 2007-12-07 22:11 2007-12-07 21:30 . 2007-12-07 21:30 808 --a------ C:\WINDOWS\unins000.dat 2007-12-07 19:21 . 2007-12-07 19:21 141,394 --a------ C:\Documents and Settings\Endrju\reg.exe 2007-12-07 18:25 . 2007-12-07 18:26 2007-12-07 18:25 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll 2007-12-07 17:50 . 2007-12-07 23:11 65,115 —hs---- C:\WINDOWS\system32\srvd.exe 2007-12-07 16:57 . 2007-12-07 16:57 2007-12-07 16:55 . 2007-12-07 16:55 2007-12-07 16:28 . 2007-12-20 00:03 2007-12-06 21:53 . 2004-08-04 00:43 2,113,536 --a------ C:\WINDOWS\system32\dxdiagn.dll 2007-12-06 21:14 . 2007-12-06 21:28 139,264 --a------ C:\WINDOWS\War3Unin.exe 2007-12-06 21:14 . 2007-12-06 21:32 76,215 --a------ C:\WINDOWS\War3Unin.dat 2007-12-06 21:14 . 2007-12-06 21:28 2,829 --a------ C:\WINDOWS\War3Unin.pif 2007-12-06 21:10 . 2007-12-22 16:10 2007-12-06 20:27 . 2007-12-06 20:27 2007-12-06 20:13 . 2007-12-06 20:13 2007-12-06 20:12 . 2007-12-06 20:13 2007-12-06 20:12 . 2007-12-06 20:12 34,064 --a------ C:\WINDOWS\system32\lhacm.acm 2007-12-06 19:46 . 2007-12-13 00:14 1,100 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-12-06 19:41 . 2002-03-21 20:21 134,784 -ra------ C:\WINDOWS\system32\drivers\b57xp32.sys 2007-12-06 19:40 . 2004-08-03 23:07 171,776 --a------ C:\WINDOWS\system32\drivers\kmixer.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-06 17:50 23 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg 2007-12-06 10:55 --------- d-----w C:\Program Files\microsoft frontpage 2007-12-06 10:53 --------- d-----w C:\Program Files\Usługi online . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-08-04 00:44] “PowerArchiver Tray”=“C:\Program Files\PowerArchiver\PASTARTER.EXE” [2007-11-30 16:08] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “APVXDWIN”=“C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.exe” [] “autoclk”=“autoclk.exe” [2002-09-25 10:36 C:\WINDOWS\autoclk.exe] “NvCplDaemon”=“RUNDLL32.exe” [2004-08-04 00:44 C:\WINDOWS\system32\rundll32.exe] “NvMediaCenter”=“RUNDLL32.exe” [2004-08-04 00:44 C:\WINDOWS\system32\rundll32.exe] “Smapp”=“C:\Program Files\Analog Devices\SoundMAX\Smtray.exe” [2002-06-26 17:36] “WOOTASKBARICON”=“C:\PROGRA~1\Wanadoo\TaskbarIcon.exe” [] “WOOWATCH”=“C:\PROGRA~1\Wanadoo\Watch.exe” [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] “WindowsUpdater”=“WindowsUpdater.exe” [] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 00:44] “johkjh”=“C:\WINDOWS\system32\srvd.exe” [2007-12-07 23:11] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^DSLMON.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\DSLMON.lnk backup=C:\WINDOWS\pss\DSLMON.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN] C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE /s [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet] C:\Program Files\BitComet\BitComet.exe /tray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] C:\Program Files\D-Tools\daemon.exe -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerArchiver Tray] 2007-11-30 16:08 140328 --a------ C:\Program Files\PowerArchiver\PASTARTER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\s123dwe2] C:\WINDOWS\TEMP\B27F8382.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “PSIMSVC”=2 (0x2) “PAVSRV”=2 (0x2) “Panda Software Controller”=2 (0x2) “MSN RAV”=2 (0x2) “FCI”=2 (0x2) “SoundMAX Agent Service (default)”=2 (0x2) R0 Bhm38;Bhm38;C:\WINDOWS\system32\Drivers\Bhm38.sys [2007-12-19 00:08] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\setup.exe . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-22 19:05:48 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-22 19:06:47 - machine was rebooted i na wszelki wypadek -------------------------------------hijack kolejny Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:07:40, on 2007-12-22 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\autoclk.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\PowerArchiver\PASTARTER.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll O4 - HKLM…\Run: [APVXDWIN] “C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE” /s O4 - HKLM…\Run: [autoclk] autoclk.exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe O4 - HKLM…\RunServices: [WindowsUpdater] WindowsUpdater.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe – End of file - 4009 bytes