tylko jedno znalazlem…
a to log
Logfile of HijackThis v1.99.1
Scan saved at 21:22:36, on 2007-04-05
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\K U B A\kuba\programy\ewido\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
F:\K U B A\kuba\programy\firewall\Outpost Firewall\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mouse Driver\MouseDrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SEC\MagicTune3.6\GammaTray.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\WinRAR\WinRAR.exe
F:\K U B A\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {FF0C56CD-972E-BC88-7A41-9DECAA9015CF} - C:\WINDOWS\system32\dqrq.dll (file missing)
R3 - URLSearchHook: (no name) - {ACDA9D2A-0393-7A6C-991F-08E52A184095} - C:\WINDOWS\system32\alk.dll (file missing)
R3 - URLSearchHook: (no name) - {A913C6F8-7F6F-05BF-15D6-03F2CA254DB8} - C:\WINDOWS\system32\eyhnuhnn.dll (file missing)
R3 - URLSearchHook: (no name) - {F563D04C-1CA0-6007-A299-104490F14EC3} - C:\WINDOWS\system32\yjrxek.dll (file missing)
R3 - URLSearchHook: (no name) - {A0432BE0-B502-9FA1-0023-EB1BB574109D} - C:\WINDOWS\system32\oonbfnn.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CE3AA13-61F4-1B02-F24C-6DE34A99A99A} - C:\WINDOWS\system32\gbiu.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - F:\K U B A\kuba\programy\bit comet\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: (no name) - {8F9CCDC6-7508-0182-7E30-5DD7487E61E2} - C:\WINDOWS\system32\ufjtzg.dll (file missing)
O2 - BHO: (no name) - {A0432BE0-B502-9FA1-0023-EB1BB574109D} - C:\WINDOWS\system32\oonbfnn.dll (file missing)
O2 - BHO: (no name) - {A913C6F8-7F6F-05BF-15D6-03F2CA254DB8} - C:\WINDOWS\system32\eyhnuhnn.dll (file missing)
O2 - BHO: (no name) - {ACDA9D2A-0393-7A6C-991F-08E52A184095} - C:\WINDOWS\system32\alk.dll (file missing)
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O2 - BHO: (no name) - {D64FCB6C-5781-7E79-DD4B-5D90EDA169C8} - C:\WINDOWS\system32\mcug.dll (file missing)
O2 - BHO: (no name) - {E5687D4A-B8FF-C757-A4D9-B4DEC9C20AC6} - C:\WINDOWS\system32\uoecsc.dll (file missing)
O2 - BHO: (no name) - {F563D04C-1CA0-6007-A299-104490F14EC3} - C:\WINDOWS\system32\yjrxek.dll (file missing)
O2 - BHO: (no name) - {FF0C56CD-972E-BC88-7A41-9DECAA9015CF} - C:\WINDOWS\system32\dqrq.dll (file missing)
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM…\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM…\Run: [CreativeMouse] C:\Program Files\Mouse Driver\MouseDrv.exe
O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM…\Run: [QuickTime Task] “D:\QuickTime\qttask.exe” -atboottime
O4 - HKLM…\Run: [Outpost Firewall] F:\K U B A\kuba\programy\firewall\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM…\Run: [OutpostFeedBack] F:\K U B A\kuba\programy\firewall\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM…\Run: [sunServer] F:\K U B A\kuba\programy\centerspy\sunserver.exe
O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM…\Run: [nwiz] nwiz.exe /install
O4 - HKLM…\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”
O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: MagicTune 3.6.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = G:\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NCProTray.lnk = ?
O8 - Extra context menu item: Download all links using BitComet - res://F:\K U B A\kuba\programy\bit comet\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://F:\K U B A\kuba\programy\bit comet\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://F:\K U B A\kuba\programy\bit comet\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - F:\K U B A\kuba\programy\firewall\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [iNTERNATIONAL] International*
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://bezpieczenstwo.onet.pl/skaner/SkanerOnline.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: F:\KUBA~1\kuba\programy\firewall\OUTPOS~1\wl_hook.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\K U B A\kuba\programy\ewido\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - F:\K U B A\kuba\programy\firewall\Outpost Firewall\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
a to jeszcze z kombofix’a
“Mamusia” - 07-04-04 23:27:35 Dodatek Service Pack 2 ComboFix 07-04-04.5 - Running from: “C:\Program Files\Mozilla Firefox” (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\hosts C:\Program Files\Common Files{B4005~1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\qoobox\purity\DOCUME~1 C:\qoobox\purity\DOCUME~1\Mamusia C:\qoobox\purity\DOCUME~1\Mamusia\DANEAP~1 C:\qoobox\purity\DOCUME~1\Mamusia\MOJEDO~1 C:\qoobox\purity\DOCUME~1\Mamusia\DANEAP~1\DOBE~1 C:\qoobox\purity\DOCUME~1\Mamusia\DANEAP~1\from.txt C:\qoobox\purity\DOCUME~1\Mamusia\DANEAP~1\ICROSO~1 C:\qoobox\purity\DOCUME~1\Mamusia\DANEAP~1\SKS~1 C:\qoobox\purity\DOCUME~1\Mamusia\DANEAP~1\SKS~1\SKS~1 C:\qoobox\purity\DOCUME~1\Mamusia\DANEAP~1\SKS~1\spool32.exe C:\qoobox\purity\DOCUME~1\Mamusia\MOJEDO~1\ASKS~1 C:\qoobox\purity\DOCUME~1\Mamusia\MOJEDO~1\from.txt C:\qoobox\purity\DOCUME~1\Mamusia\MOJEDO~1\PPPATC~1 C:\qoobox\purity\Program Files\SMANTE~1 C:\qoobox\purity\Program Files\WNSXS~1 C:\qoobox\purity\Program Files\Common Files\ICROSO~1 C:\qoobox\purity\Program Files\Common Files\SKS~1 C:\qoobox\purity\Program Files\Common Files\STEM~1 C:\qoobox\purity\WINDOWS\FNTS~1 C:\qoobox\purity\WINDOWS\RACLE~1 C:\qoobox\purity\WINDOWS\RACLE~1\n?tepad.exe C:\qoobox\purity\WINDOWS\system32\DOBE~1 ((((((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\nm -------\LEGACY_MCHINJDRV -------\LEGACY_NM ((((((((((((((((((((((((((((((( Files Created from 2007-03-04 to 2007-04-04 )))))))))))))))))))))))))))))))))) 2007-04-04 22:59 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-04-04 22:59 2007-04-04 22:59 2007-04-04 22:59 2007-04-04 22:59 2007-04-04 22:59 2007-04-04 22:59 2007-04-04 22:59 2007-04-04 22:26 2007-04-01 19:38 38,872 --------- C:\WINDOWS\hpomdl03.dat 2007-04-01 19:38 29,684 --a------ C:\WINDOWS\hpoins03.dat 2007-04-01 19:33 2007-03-31 17:50 2007-03-31 17:49 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-03-31 17:49 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll 2007-03-31 17:49 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-03-31 17:49 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-03-31 17:49 1,565,480 --a------ C:\WINDOWS\system32\wmv9vcm.dll 2007-03-31 17:49 2007-03-31 17:49 2007-03-18 14:01 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-03-31 17:48 -------- d-------- C:\DOCUME~1\Mamusia\DANEAP~1\real 2007-03-30 14:25 -------- d-------- C:\DOCUME~1\Mamusia\DANEAP~1\skype 2007-03-25 09:47 81700 --a------ C:\WINDOWS\system32\perfc015.dat 2007-03-25 09:47 464110 --a------ C:\WINDOWS\system32\perfh015.dat 2007-03-22 20:23 869 --a------ C:\WINDOWS\ereg.dat 2007-03-22 20:21 -------- d–h----- C:\Program Files\installshield installation information 2007-03-08 17:38 579072 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 17:38 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 17:38 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-03-08 17:37 1843840 --a------ C:\WINDOWS\system32\win32k.sys 2007-03-04 01:35 2560 --a------ C:\WINDOWS\system32\bitcometres.dll 2007-02-27 20:54 -------- d-------- C:\Program Files\skype 2007-02-27 20:54 -------- d-------- C:\Program Files\Common Files\skype 2007-02-26 22:45 -------- d-------- C:\Program Files\getright 2007-02-23 22:48 -------- d-------- C:\Program Files\sec 2007-02-20 23:19 -------- d-------- C:\Program Files\musicmatch 2007-02-07 21:56 -------- d-------- C:\Program Files\sagem 2007-02-07 21:36 -------- d-------- C:\Program Files\neostrada tp 2007-02-07 20:52 -------- d-------- C:\Program Files\wanadoo 2007-02-04 23:03 -------- d-------- C:\Program Files\xoftspy 2007-02-04 21:20 -------- d-------- C:\Program Files\kaspersky lab 2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” “MSMSGS”="“C:\Program Files\Messenger\msmsgs.exe” /background" “Nde”=“C:\WINDOWS\?racle\n?tepad.exe” “Cncb”="“C:\DOCUME~1\Mamusia\DANEAP~1\SKS~1\spool32.exe” -vt ndrv" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” “qvuxcn”=“C:\WINDOWS\qvuxcn.exe” “Ptipbmf”=“rundll32.exe ptipbmf.dll,SetWriteCacheMode” “CreativeMouse “=“C:\Program Files\Mouse Driver\MouseDrv.exe” “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” “bec25a63”=“RUNDLL32.EXE w029d8c4.dll,n 00625a5d0000000a029d8c4” “QuickTime Task”=”“D:\QuickTime\qttask.exe” -atboottime” “Outpost Firewall”=“F:\K U B A\kuba\programy\firewall\Outpost Firewall\outpost.exe /waitservice” “OutpostFeedBack”=“F:\K U B A\kuba\programy\firewall\Outpost Firewall\feedback.exe /dump:os_startup” @="" “SunServer”=“F:\K U B A\kuba\programy\centerspy\sunserver.exe” “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” “nwiz”=“nwiz.exe /install” “HP Component Manager”="“C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^DSLMON.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\DSLMON.lnk” “backup”=“C:\WINDOWS\pss\DSLMON.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\SAGEM\SAGEMF~1\dslmon.exe /W” “item”=“DSLMON” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^GStartup.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\GStartup.lnk” “backup”=“C:\WINDOWS\pss\GStartup.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\Program Files\Common Files\GMT\GMT.exe /startup” “item”=“GStartup” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk” “backup”=“C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup” “location”=“Common Startup” “command”=“D:\HP\DIGITA~1\bin\hpqtra08.exe " “item”=“HP Digital Imaging Monitor” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adiras] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“adiras” “hkey”=“HKLM” “command”=“adiras.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“points manager” “hkey”=“HKLM” “command”=“c:\program files\altnet\points manager\points manager.exe -s” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“atiptaxx” “hkey”=“HKLM” “command”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoclk] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“autoclk” “hkey”=“HKLM” “command”=“autoclk.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“ashDisp” “hkey”=“HKLM” “command”=“d:\Avast4\ashDisp.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“BearShare” “hkey”=“HKLM” “command”=”“D:\BearShare\BearShare.exe” /pause" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“ccApp” “hkey”=“HKLM” “command”="“C:\Program Files\Common Files\Symantec Shared\ccApp.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“CMESys” “hkey”=“HKLM” “command”="“C:\Program Files\Common Files\CMEII\CMESys.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“ctfmon” “hkey”=“HKCU” “command”=“C:\WINDOWS\system32\ctfmon.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“gg” “hkey”=“HKCU” “command”="“D:\Gadu-Gadu\gg.exe” /tray" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“hpcmpmgr” “hkey”=“HKLM” “command”="“C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“HPWuSchd” “hkey”=“HKLM” “command”="“D:\HP\HP Software Update\HPWuSchd.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“kazaa” “hkey”=“HKLM” “command”=“D:\kazaa.exe /SYSTRAY” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“msmsgs” “hkey”=“HKCU” “command”="“C:\Program Files\Messenger\msmsgs.exe” /background" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NeroCheck” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\NeroCheck.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NvCpl” “hkey”=“HKLM” “command”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NvMcTray” “hkey”=“HKLM” “command”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“nwiz” “hkey”=“HKLM” “command”=“nwiz.exe /install” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“P2P Networking” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ptipbmf] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“rundll32” “hkey”=“HKLM” “command”=“rundll32.exe ptipbmf.dll,SetWriteCacheMode” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“PDVDServ” “hkey”=“HKLM” “command”="“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“SOUNDMAN” “hkey”=“HKLM” “command”=“SOUNDMAN.EXE” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“jusched” “hkey”=“HKLM” “command”=“C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemCleaner] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Scheduler” “hkey”=“HKLM” “command”=“D:\System Cleaner 2000\Scheduler.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“UrlLstCk” “hkey”=“HKLM” “command”=“D:\Norton Internet Security\UrlLstCk.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“winampa” “hkey”=“HKLM” “command”=“d:\Winamp\winampa.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WooCnxMon] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“CnxMon” “hkey”=“HKLM” “command”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOTASKBARICON] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“taskbaricon” “hkey”=“HKLM” “command”=“C:\Program Files\Neostrada TP\taskbaricon.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOWATCH] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Watch” “hkey”=“HKLM” “command”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] “appinit_dlls”=“F:\KUBA~1\kuba\programy\firewall\OUTPOS~1\wl_hook.dll” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“AVG Anti-Spyware 7.5” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{f72a7bcc-5d1f-11db-b2f7-806d6172696f}] Shell\AutoRun\command K:\ANNOfinder.exe Contents of the ‘Scheduled Tasks’ folder C:\WINDOWS\tasks\WebReg 20041113213215.job C:\WINDOWS\tasks\XoftSpy.job ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-04 23:30:31 C:\ComboFix-quarantined-files.txt … 07-04-04 23:30