Klopoty z trojanem horses

Mr.Irek · 30 Marzec 2007 08:08

prosze sprawdzic mi log, moj antywirus wykryl trojana i chcialbym sie go pozbyc

Logfile of HijackThis v1.99.1 Scan saved at 10:07:46, on 2007-03-30 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: H:\WINDOWS\System32\smss.exe H:\WINDOWS\system32\winlogon.exe H:\WINDOWS\system32\services.exe H:\WINDOWS\system32\lsass.exe H:\WINDOWS\system32\svchost.exe H:\WINDOWS\System32\svchost.exe H:\Program Files\Ahead\InCD\InCDsrv.exe H:\WINDOWS\Explorer.EXE H:\WINDOWS\system32\spoolsv.exe H:\WINDOWS\RTHDCPL.EXE H:\WINDOWS\system32\RunDLL32.exe H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe H:\Program Files\lg_fwupdate\fwupdate.exe H:\Program Files\Common Files\Symantec Shared\ccApp.exe H:\Program Files\Java\jre1.5.0_11\bin\jusched.exe H:\Program Files\Picasa2\PicasaMediaDetector.exe H:\WINDOWS\system32\ctfmon.exe H:\Program Files\Messenger\msmsgs.exe H:\Program Files\Gadu-Gadu\gg.exe H:\Program Files\Skype\Phone\Skype.exe H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe H:\WINDOWS\ATKKBService.exe H:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe H:\Program Files\Common Files\LightScribe\LSSrvc.exe H:\Program Files\Norton AntiVirus\navapsvc.exe H:\WINDOWS\system32\nvsvc32.exe H:\Program Files\Skype\Plugin Manager\SkypePM.exe H:\WINDOWS\system32\svchost.exe H:\Program Files\Outlook Express\msimn.exe H:\WINDOWS\system32\wuauclt.exe H:\Program Files\Internet Explorer\IEXPLORE.EXE H:\Program Files\Internet Explorer\IEXPLORE.EXE H:\Program Files\Winamp\winamp.exe H:\Download\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - H:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - H:\Program Files\BitComet\tools\BitCometBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar3.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - H:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - H:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar3.dll O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM…\Run: [RemoteControl] “H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [LGODDFU] “H:\Program Files\lg_fwupdate\fwupdate.exe” O4 - HKLM…\Run: [ccApp] H:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM…\Run: [ccRegVfy] H:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM…\Run: [symantec NetDriver Monitor] H:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM…\Run: [sunJavaUpdateSched] “H:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” O4 - HKLM…\Run: [Picasa Media Detector] H:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKCU…\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “H:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Gadu-Gadu] “H:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [bitComet] “H:\Program Files\BitComet\BitComet.exe” O4 - HKCU…\Run: [skype] “H:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU…\Run: [eMuleAutoStart] H:\Program Files\eMule\emule.exe -AutoStart O8 - Extra context menu item: Download all links using BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download all videos using BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: Download link using &BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - H:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - H:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - H:\WINDOWS\ATKKBService.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - H:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Usługa Auto-Protect w programie Norton AntiVirus (navapsvc) - Symantec Corporation - H:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - H:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

adam9870 · 30 Marzec 2007 13:44

Log czysty.

Ale gdzie go wykrywa? Proszę podać dokładną lokalizację do znajdowanego zainfekowanego pliku. Dodatkowo wklej log z ComboFix.

Mr.Irek · 1 Kwiecień 2007 16:04

moj norton ciagle wykrywa wirusa HORSES jedynym zawirusowanym plikiem jest H:/WINDOWS/system32/aekjhaaa.exe

Złączono Posta : 01.04.2007 (Nie) 18:07

“Kasia” - 07-04-01 17:59:22 Dodatek Service Pack 2 ComboFix 07-03-27.4.2 - Running from: “H:\Downloads” ((((((((((((((((((((((((((((((( Files Created from 2007-03-01 to 2007-04-01 )))))))))))))))))))))))))))))))))) 2007-03-26 12:41 2007-03-26 12:41 2007-03-26 09:16 2007-03-20 19:53 2007-03-20 17:44 309,616 --a------ H:\WINDOWS\system32\wmv8dmod.dll 2007-03-20 17:44 1,415,680 --a------ H:\WINDOWS\system32\wmv9vcm.dll 2007-03-16 11:57 2007-03-16 10:14 2007-03-12 10:02 221,184 --a------ H:\WINDOWS\system32\wmpns.dll 2007-03-12 09:55 2007-03-10 20:04 2007-03-08 23:04 2007-03-04 12:54 3,968 --a------ H:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-03-03 23:19 2007-03-02 11:54 73,728 --a------ H:\WINDOWS\system32\pv.exe 2007-03-02 11:54 39,184 --a------ H:\WINDOWS\system32\Ntrights.exe 2007-03-02 11:54 175,616 --a------ H:\WINDOWS\system32\strings.exe 2007-03-02 11:54 126,976 --a------ H:\WINDOWS\system32\zip.exe 2007-03-02 11:54 11,254 --a------ H:\WINDOWS\system32\locate.com 2007-03-02 10:39 2007-03-01 13:09 2007-03-01 13:09 2007-03-01 13:08 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-01 17:55 -------- d-------- H:\DOCUME~1\Kasia\DANEAP~1\skype 2007-04-01 16:56 -------- d-------- H:\Program Files\lg_fwupdate 2007-04-01 16:56 -------- d-------- H:\Program Files\Common Files\symantec shared 2007-04-01 16:55 -------- d-------- H:\Program Files\emule 2007-03-25 08:59 49712 --a------ H:\WINDOWS\system32\perfc015.dat 2007-03-25 08:59 355830 --a------ H:\WINDOWS\system32\perfh015.dat 2007-03-08 17:20 -------- d-------- H:\Program Files\bitcomet 2007-03-06 21:35 -------- d-------- H:\Program Files\picasa2 2007-03-03 15:59 2560 --a------ H:\WINDOWS\system32\bitcometres.dll 2007-02-28 12:03 -------- d-------- H:\Program Files\norton antivirus 2007-02-28 09:54 25600 --a------ H:\WINDOWS\system32\aekjhaaa.exe 2007-02-28 09:54 1046 --a------ H:\WINDOWS\system32\jgkhaaaa.exe 2007-02-23 23:00 -------- d–h----- H:\Program Files\installshield installation information 2007-02-22 22:35 16 --a------ H:\WINDOWS\popcinfo.dat 2007-02-21 21:20 -------- d-------- H:\Program Files\bitdownload 2007-02-21 18:58 12528 --a------ H:\WINDOWS\system32\drivers\secdrv.sys 2007-02-20 17:03 -------- d-------- H:\Program Files\google 2007-02-19 22:04 -------- d-------- H:\DOCUME~1\Kasia\DANEAP~1\google 2007-02-19 21:11 -------- d-------- H:\DOCUME~1\Kasia\DANEAP~1\sun 2007-02-19 21:10 -------- d-------- H:\Program Files\java 2007-02-15 10:44 -------- d-------- H:\Program Files\symantec 2007-02-06 21:55 469712 --a------ H:\WINDOWS\macromix.dll 2007-02-03 12:10 -------- d-------- H:\DOCUME~1\Kasia\DANEAP~1\help 2007-02-03 09:08 -------- d-------- H:\Program Files\flashget 2007-02-02 23:03 -------- d-------- H:\Program Files\skype 2007-02-02 23:02 -------- d-------- H:\Program Files\gadu-gadu 2007-02-02 19:34 -------- d-------- H:\Program Files\messenger 2007-02-02 19:16 -------- d-------- H:\Program Files\Common Files\skype 2007-02-02 15:45 -------- d-------- H:\Program Files\symnetdrv 2007-02-02 13:34 -------- d-------- H:\DOCUME~1\Kasia\DANEAP~1\cyberlink 2007-02-02 12:51 -------- d-------- H:\Program Files\subedit-player 2007-01-24 06:09 62 --ahs---- H:\DOCUME~1\Kasia\DANEAP~1\desktop.ini 2007-01-24 05:14 21856 --a------ H:\WINDOWS\system32\emptyregdb.dat 2007-01-23 23:00 32 --ahs---- H:\WINDOWS{36de06f8-afab-41ef-8e02-dd22f627476e}.dat 2007-01-23 23:00 14 --a------ H:\WINDOWS\system32\sr2.dat 2007-01-22 13:00 719088 --a------ H:\WINDOWS\system32\skaneronline.dll 2007-01-19 10:40 89088 --a------ H:\WINDOWS\system32\skaneronlineuninstall.exe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“H:\WINDOWS\system32\ctfmon.exe” “MSMSGS”="“H:\Program Files\Messenger\msmsgs.exe” /background" “Gadu-Gadu”="“H:\Program Files\Gadu-Gadu\gg.exe” /tray" “BitComet”="“H:\Program Files\BitComet\BitComet.exe”" “Skype”="“H:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized" “swg”=“H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” “eMuleAutoStart”=“H:\Program Files\eMule\emule.exe -AutoStart” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “RTHDCPL”=“RTHDCPL.EXE” “NvCplDaemon”=“RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup” “nwiz”=“nwiz.exe /install” “NvMediaCenter”=“RunDLL32.exe NvMCTray.dll,NvTaskbarInit” “RemoteControl”="“H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”" “NeroFilterCheck”=“H:\WINDOWS\system32\NeroCheck.exe” “LGODDFU”="“H:\Program Files\lg_fwupdate\fwupdate.exe”" “ccApp”=“H:\Program Files\Common Files\Symantec Shared\ccApp.exe” “ccRegVfy”=“H:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe” “Symantec NetDriver Monitor”=“H:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer” “SunJavaUpdateSched”="“H:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”" “Picasa Media Detector”=“H:\Program Files\Picasa2\PicasaMediaDetector.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“InCD” “hkey”=“HKLM” “command”=“H:\Program Files\Ahead\InCD\InCD.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Skype” “hkey”=“HKCU” “command”="“H:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“SkyTel” “hkey”=“HKLM” “command”=“SkyTel.EXE” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“GoogleToolbarNotifier” “hkey”=“HKCU” “command”=“H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysvx.exe] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“sysvx” “hkey”=“HKLM” “command”=“H:\WINDOWS\system32\sysvx.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“AVG Anti-Spyware 7.5” [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source REG_SZ http://photos.allegro.pl/photos/orygina … /179196757 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7a6f0492-ab5b-11db-8bc9-e6d999d5b420}] Shell\AutoRun\command J:\Autorun.exe /run Shell\Shell00\Command J:\Autorun.exe /run Shell\Shell01\Command J:\Autorun.exe /action Shell\Shell02\Command J:\Autorun.exe /uninstall ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ backup-20070325-121307-387 O4 - HKLM…\Run: [mtvdnvkq] H:\WINDOWS\system32\mtvdnvkq.exe backup-20070303-214338-297 O2 - BHO: (no name) - {B4FAF6E4-77D0-46c7-8656-7F7B45056451} - (no file) Contents of the ‘Scheduled Tasks’ folder H:\WINDOWS\tasks\Symantec NetDetect.job ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-01 18:03:39

adam9870 · 1 Kwiecień 2007 18:27

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:

H:\WINDOWS\system32\aekjhaaa.exe

H:\WINDOWS\system32\jgkhaaaa.exe

H:\WINDOWS{36de06f8-afab-41ef-8e02-dd22f627476e}.dat

Po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Po wykonaniu wklej nowy log z Combo.

Mr.Irek · 2 Kwiecień 2007 15:01

wszystkie czynnosci wykonalem

teraz log z combo

“Kasia” - 07-04-02 16:57:45 Dodatek Service Pack 2 ComboFix 07-03-27.4.2 - Running from: “H:\ANTYWIRUSY” ((((((((((((((((((((((((((((((( Files Created from 2007-03-02 to 2007-04-02 )))))))))))))))))))))))))))))))))) 2007-04-02 16:51 124 --a------ H:\FIX.REG 2007-04-01 19:24 2007-04-01 19:24 2007-04-01 19:22 2007-04-01 19:19 639,224 --a------ H:\WINDOWS\system32\drivers\sptd.sys 2007-04-01 18:30 2007-03-26 12:41 2007-03-26 12:41 2007-03-26 09:16 2007-03-20 19:53 2007-03-20 17:44 309,616 --a------ H:\WINDOWS\system32\wmv8dmod.dll 2007-03-20 17:44 1,415,680 --a------ H:\WINDOWS\system32\wmv9vcm.dll 2007-03-16 11:57 2007-03-16 10:14 2007-03-12 10:02 221,184 --a------ H:\WINDOWS\system32\wmpns.dll 2007-03-12 09:55 2007-03-10 20:04 2007-03-08 23:04 2007-03-04 12:54 3,968 --a------ H:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-03-03 23:19 2007-03-02 11:54 73,728 --a------ H:\WINDOWS\system32\pv.exe 2007-03-02 11:54 39,184 --a------ H:\WINDOWS\system32\Ntrights.exe 2007-03-02 11:54 175,616 --a------ H:\WINDOWS\system32\strings.exe 2007-03-02 11:54 126,976 --a------ H:\WINDOWS\system32\zip.exe 2007-03-02 11:54 11,254 --a------ H:\WINDOWS\system32\locate.com 2007-03-02 10:39 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-02 16:55 -------- d-------- H:\DOCUME~1\Kasia\DANEAP~1\skype 2007-04-02 16:54 -------- d-------- H:\Program Files\lg_fwupdate 2007-04-02 16:53 -------- d-------- H:\Program Files\emule 2007-04-02 16:53 -------- d-------- H:\Program Files\Common Files\symantec shared 2007-03-25 08:59 49712 --a------ H:\WINDOWS\system32\perfc015.dat 2007-03-25 08:59 355830 --a------ H:\WINDOWS\system32\perfh015.dat 2007-03-08 17:20 -------- d-------- H:\Program Files\bitcomet 2007-03-06 21:35 -------- d-------- H:\Program Files\picasa2 2007-03-03 15:59 2560 --a------ H:\WINDOWS\system32\bitcometres.dll 2007-03-01 13:09 -------- d-------- H:\Program Files\lavasoft 2007-03-01 13:09 -------- d-------- H:\DOCUME~1\Kasia\DANEAP~1\lavasoft 2007-03-01 13:08 -------- d-------- H:\Program Files\Common Files\wise installation wizard 2007-02-28 12:03 -------- d-------- H:\Program Files\norton antivirus 2007-02-23 23:00 -------- d–h----- H:\Program Files\installshield installation information 2007-02-22 22:35 16 --a------ H:\WINDOWS\popcinfo.dat 2007-02-21 21:20 -------- d-------- H:\Program Files\bitdownload 2007-02-21 18:58 12528 --a------ H:\WINDOWS\system32\drivers\secdrv.sys 2007-02-20 17:03 -------- d-------- H:\Program Files\google 2007-02-19 22:04 -------- d-------- H:\DOCUME~1\Kasia\DANEAP~1\google 2007-02-19 21:11 -------- d-------- H:\DOCUME~1\Kasia\DANEAP~1\sun 2007-02-19 21:10 -------- d-------- H:\Program Files\java 2007-02-15 10:44 -------- d-------- H:\Program Files\symantec 2007-02-06 21:55 469712 --a------ H:\WINDOWS\macromix.dll 2007-02-03 12:10 -------- d-------- H:\DOCUME~1\Kasia\DANEAP~1\help 2007-02-03 09:08 -------- d-------- H:\Program Files\flashget 2007-02-02 23:03 -------- d-------- H:\Program Files\skype 2007-02-02 23:02 -------- d-------- H:\Program Files\gadu-gadu 2007-02-02 19:34 -------- d-------- H:\Program Files\messenger 2007-02-02 19:16 -------- d-------- H:\Program Files\Common Files\skype 2007-02-02 15:45 -------- d-------- H:\Program Files\symnetdrv 2007-02-02 13:34 -------- d-------- H:\DOCUME~1\Kasia\DANEAP~1\cyberlink 2007-02-02 12:51 -------- d-------- H:\Program Files\subedit-player 2007-01-24 06:09 62 --ahs---- H:\DOCUME~1\Kasia\DANEAP~1\desktop.ini 2007-01-24 05:14 21856 --a------ H:\WINDOWS\system32\emptyregdb.dat 2007-01-23 23:00 14 --a------ H:\WINDOWS\system32\sr2.dat 2007-01-22 13:00 719088 --a------ H:\WINDOWS\system32\skaneronline.dll 2007-01-19 10:40 89088 --a------ H:\WINDOWS\system32\skaneronlineuninstall.exe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“H:\WINDOWS\system32\ctfmon.exe” “MSMSGS”="“H:\Program Files\Messenger\msmsgs.exe” /background" “Gadu-Gadu”="“H:\Program Files\Gadu-Gadu\gg.exe” /tray" “BitComet”="“H:\Program Files\BitComet\BitComet.exe”" “Skype”="“H:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized" “swg”=“H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” “eMuleAutoStart”=“H:\Program Files\eMule\emule.exe -AutoStart” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “RTHDCPL”=“RTHDCPL.EXE” “NvCplDaemon”=“RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup” “nwiz”=“nwiz.exe /install” “NvMediaCenter”=“RunDLL32.exe NvMCTray.dll,NvTaskbarInit” “RemoteControl”="“H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”" “NeroFilterCheck”=“H:\WINDOWS\system32\NeroCheck.exe” “LGODDFU”="“H:\Program Files\lg_fwupdate\fwupdate.exe”" “ccApp”=“H:\Program Files\Common Files\Symantec Shared\ccApp.exe” “ccRegVfy”=“H:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe” “Symantec NetDriver Monitor”=“H:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer” “SunJavaUpdateSched”="“H:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”" “Picasa Media Detector”=“H:\Program Files\Picasa2\PicasaMediaDetector.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“InCD” “hkey”=“HKLM” “command”=“H:\Program Files\Ahead\InCD\InCD.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Skype” “hkey”=“HKCU” “command”="“H:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“SkyTel” “hkey”=“HKLM” “command”=“SkyTel.EXE” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“GoogleToolbarNotifier” “hkey”=“HKCU” “command”=“H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“AVG Anti-Spyware 7.5” [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source REG_SZ http://photos.allegro.pl/photos/orygina … /179196757 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7a6f0492-ab5b-11db-8bc9-e6d999d5b420}] Shell\AutoRun\command J:\Autorun.exe /run Shell\Shell00\Command J:\Autorun.exe /run Shell\Shell01\Command J:\Autorun.exe /action Shell\Shell02\Command J:\Autorun.exe /uninstall [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{a4c17962-e075-11db-9504-0018f3122744}] Shell\AutoRun\command E:\autorun.exe Contents of the ‘Scheduled Tasks’ folder H:\WINDOWS\tasks\Symantec NetDetect.job ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-02 16:59:17