Endzia311
(Asorbjan)
15 Kwiecień 2007 13:08
#1
Mam wirusa MS32DLL.dll.vbs i mój antywirus go nie wykrywa mimo wszelkich aktualizacji (avast 4.7 home edition). Nie wiem jak go mam usunąć. A poza tym bearshare mi nie działa mimo iż innym te same wersje działają. Nie wiem od czego to może zależeć. Nie mam go już od dawna zainstalowanego ale jakieś śmiecie chyba zostały.
Z góry dziękuje za pomoc
log z hijackthis:
Logfile of HijackThis v1.99.1 Scan saved at 14:56:19, on 2007-04-15 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avast4\aswUpdSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Avast4\ashServ.exe C:\PROGRA~1\Avast4\ashDisp.exe C:\WINDOWS\System32\WScript.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Avast4\ashMaiSv.exe C:\Program Files\Avast4\ashWebSv.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Admin\Moje dokumenty\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Godzilla R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE O4 - HKLM…\Run: [bearShare] “D:\BearShare\BearShare.exe” /pause O4 - HKLM…\Run: [MS32DLL] C:\WINDOWS\MS32DLL.dll.vbs O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” O4 - Startup: DC++.lnk = C:\Program Files\DC++\DCPlusPlus.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
adam9870
(adam9870)
15 Kwiecień 2007 13:12
#2
Użyj ComboFix . Uruchom go => naciśnij klawisz Y => czekaj cierpliwie i powinien być log w formie pliku .txt o nazwie combofix na partycji C, którego proszę tu pokazać.
Jeśli nie masz już Messenger’a to usuń te dwa wpisy:
Zwykła wersja programu BearShare posiada w sobie syf dlatego proponuję go usunąć. A jeśli koniecznie chcesz z niego korzystać to zainstaluj wersję Lite, która jest pozbawiona syfu.
Endzia311
(Asorbjan)
15 Kwiecień 2007 13:27
#3
wyglada na to ze juz wirusa nie ma. messengera używam.
A co mam zrobic z tym?
Teraz nie mam zainstalowanego. Nie mam nic widocznego takiego na dysku. Mam to usunąć w hijackthis? Nie wiem czemu mi żadna wersja nie chodzi oprócz tej najnowszej. Innym działają.
Te pliki txt (są dwa: ComboFix-quarantined-files.txt i ComboFix.txt) mam usunać?
wklejam z ComboFix
“Admin” - 07-04-15 15:16:13 Dodatek Service Pack 2 ComboFix 07-04-05.Rev3 - Running from: “C:\Documents and Settings\Admin\Moje dokumenty\hijackthis” (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\MS32DLL.dll.vbs c:\autorun.inf d:\MS32DLL.dll.vbs d:\autorun.inf e:\MS32DLL.dll.vbs e:\autorun.inf f:\MS32DLL.dll.vbs f:\autorun.inf g:\MS32DLL.dll.vbs g:\autorun.inf h:\MS32DLL.dll.vbs h:\autorun.inf ((((((((((((((((((((((((((((((( Files Created from 2007-03-15 to 2007-04-15 )))))))))))))))))))))))))))))))))) 2007-04-15 13:18 2007-04-02 20:23 2007-03-27 12:12 2007-03-27 12:11 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-03-27 12:11 73,728 --a------ C:\WINDOWS\system32\dpl100.dll 2007-03-27 12:11 639,066 --a------ C:\WINDOWS\system32\divx.dll 2007-03-27 12:11 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-03-27 12:11 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll 2007-03-27 12:11 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-03-27 12:11 196,608 --a------ C:\WINDOWS\system32\dtu100.dll 2007-03-27 12:11 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-03-27 12:11 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-03-27 12:11 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-03-27 12:11 2007-03-27 12:11 2007-03-27 12:11 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-15 15:18 -------- d-------- C:\Program Files\dc++ 2007-04-15 12:46 -------- d–h----- C:\Program Files\installshield installation information 2007-04-14 09:47 94552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-14 09:47 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-14 09:45 23416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-14 09:44 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-14 09:43 26888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-14 09:42 90112 --a------ C:\WINDOWS\system32\avastss.scr 2007-04-10 13:18 712832 --a------ C:\WINDOWS\system32\aswboot.exe 2007-04-06 16:05 -------- d-------- C:\DOCUME~1\Admin\DANEAP~1\skype 2007-03-25 09:19 49492 --a------ C:\WINDOWS\system32\perfc015.dat 2007-03-25 09:19 355486 --a------ C:\WINDOWS\system32\perfh015.dat 2007-03-23 13:26 -------- d-------- C:\Program Files\gadu-gadu 2007-03-09 01:16 -------- d-------- C:\Program Files\subedit-player 2007-03-05 16:04 -------- d-------- C:\DOCUME~1\Admin\DANEAP~1\limewire 2007-02-24 17:40 12464 --a------ C:\WINDOWS\system32\drivers\secdrv.sys 2007-02-19 14:22 -------- d-------- C:\Program Files\msn messenger 2007-02-01 21:49 308 --a------ C:\WINDOWS\logokom.reg (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”="“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” “avast!”=“C:\PROGRA~1\Avast4\ashDisp.exe” “CTRegRun”=“C:\WINDOWS\CTRegRun.EXE” “BearShare”="“D:\BearShare\BearShare.exe” /pause" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE " “item”=“Adobe Reader Speed Launch” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE " “item”=“Adobe Reader Synchronizer” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“BearShare” “hkey”=“HKLM” “command”=”“D:\BearShare\BearShare.exe” /pause” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxccmon.exe] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“lxccmon” “hkey”=“HKLM” “command”="“C:\Program Files\Lexmark 3300 Series\lxccmon.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“msmsgs” “hkey”=“HKCU” “command”="“C:\Program Files\Messenger\msmsgs.exe” /background" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NeroCheck” “hkey”=“HKLM” “command”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“nwiz” “hkey”=“HKLM” “command”=“nwiz.exe /install” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“qttask” “hkey”=“HKLM” “command”="“C:\Program Files\QuickTime\qttask.exe” -atboottime" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“jusched” “hkey”=“HKLM” “command”="“C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“SUPERAntiSpyware” “hkey”=“HKCU” “command”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{18857610-e212-11db-9737-0011d84d5ea9}] Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{780f73dd-e9a3-11db-9748-0011d84d5ea9}] Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{be5e6536-9854-11db-9067-0011d84d5ea9}] Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{f3cedc02-7f90-11db-902f-0011d84d5ea9}] Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs Contents of the ‘Scheduled Tasks’ folder C:\WINDOWS\tasks\AppleSoftwareUpdate.job ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-15 15:18:41 C:\ComboFix-quarantined-files.txt … 07-04-15 15:18
adam9870
(adam9870)
15 Kwiecień 2007 13:36
#4
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{18857610-e212-11db-9737-0011d84d5ea9}] Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{780f73dd-e9a3-11db-9748-0011d84d5ea9}] Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{be5e6536-9854-11db-9067-0011d84d5ea9}] Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{f3cedc02-7f90-11db-902f-0011d84d5ea9}] Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs
Zajrzyj tutaj:
http://www.searchengines.pl/phpbb203/in … pid=395844
Endzia311
(Asorbjan)
15 Kwiecień 2007 13:48
#5
Usunelam. Wklejam z combo
“Admin” - 07-04-15 15:43:58 Dodatek Service Pack 2 ComboFix 07-04-05.Rev3 - Running from: “C:\Documents and Settings\Admin\Moje dokumenty\hijackthis” ((((((((((((((((((((((((((((((( Files Created from 2007-03-15 to 2007-04-15 )))))))))))))))))))))))))))))))))) 2007-04-15 13:18 2007-04-02 20:23 2007-03-27 12:12 2007-03-27 12:11 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-03-27 12:11 73,728 --a------ C:\WINDOWS\system32\dpl100.dll 2007-03-27 12:11 639,066 --a------ C:\WINDOWS\system32\divx.dll 2007-03-27 12:11 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-03-27 12:11 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll 2007-03-27 12:11 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-03-27 12:11 196,608 --a------ C:\WINDOWS\system32\dtu100.dll 2007-03-27 12:11 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-03-27 12:11 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-03-27 12:11 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-03-27 12:11 2007-03-27 12:11 2007-03-27 12:11 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-15 15:41 -------- d-------- C:\Program Files\dc++ 2007-04-15 12:46 -------- d–h----- C:\Program Files\installshield installation information 2007-04-14 09:47 94552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-14 09:47 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-14 09:45 23416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-14 09:44 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-14 09:43 26888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-14 09:42 90112 --a------ C:\WINDOWS\system32\avastss.scr 2007-04-10 13:18 712832 --a------ C:\WINDOWS\system32\aswboot.exe 2007-04-06 16:05 -------- d-------- C:\DOCUME~1\Admin\DANEAP~1\skype 2007-03-25 09:19 49492 --a------ C:\WINDOWS\system32\perfc015.dat 2007-03-25 09:19 355486 --a------ C:\WINDOWS\system32\perfh015.dat 2007-03-23 13:26 -------- d-------- C:\Program Files\gadu-gadu 2007-03-09 01:16 -------- d-------- C:\Program Files\subedit-player 2007-03-05 16:04 -------- d-------- C:\DOCUME~1\Admin\DANEAP~1\limewire 2007-02-24 17:40 12464 --a------ C:\WINDOWS\system32\drivers\secdrv.sys 2007-02-19 14:22 -------- d-------- C:\Program Files\msn messenger 2007-02-01 21:49 308 --a------ C:\WINDOWS\logokom.reg (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”="“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” “avast!”=“C:\PROGRA~1\Avast4\ashDisp.exe” “CTRegRun”=“C:\WINDOWS\CTRegRun.EXE” “BearShare”="“D:\BearShare\BearShare.exe” /pause" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE " “item”=“Adobe Reader Speed Launch” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE " “item”=“Adobe Reader Synchronizer” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“BearShare” “hkey”=“HKLM” “command”=”“D:\BearShare\BearShare.exe” /pause” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxccmon.exe] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“lxccmon” “hkey”=“HKLM” “command”="“C:\Program Files\Lexmark 3300 Series\lxccmon.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“msmsgs” “hkey”=“HKCU” “command”="“C:\Program Files\Messenger\msmsgs.exe” /background" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NeroCheck” “hkey”=“HKLM” “command”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“nwiz” “hkey”=“HKLM” “command”=“nwiz.exe /install” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“qttask” “hkey”=“HKLM” “command”="“C:\Program Files\QuickTime\qttask.exe” -atboottime" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“jusched” “hkey”=“HKLM” “command”="“C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“SUPERAntiSpyware” “hkey”=“HKCU” “command”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 Contents of the ‘Scheduled Tasks’ folder C:\WINDOWS\tasks\AppleSoftwareUpdate.job ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-15 15:44:54 C:\ComboFix-quarantined-files.txt … 07-04-15 15:44 C:\ComboFix2.txt … 07-04-15 15:18