Trojan- Spy.win32@mx

system · 31 Październik 2007 16:35

Witam proszę o pomoc w celu usunięcia trojan-Spy.win32@mx zrobiłem loga z HijackThis - v1.99.1. Niestety nie jest to jedyny robak jaki opanował kompa. Dziękuję z góry za pomoc.

Logfile of HijackThis v1.99.1

Scan saved at 17:28:14, on 2007-10-31

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\Spyware Doctor\svcntaux.exe

C:\Program Files\Spyware Doctor\swdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Spyware Doctor\SDTrayApp.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\administrator\Pulpit\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://sbs2005:8080/array.dll?Get.Routing.Script

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sbs2005:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\gbdrmwic.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\gbdrmwic.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"

O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll

O14 - IERESET.INF: START_PAGE_URL=http://companyweb

O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://sbs2005/tsweb/msrdp.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sbsmenis.edu.pl

O17 - HKLM\Software\..\Telephony: DomainName = sbsmenis.edu.pl

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sbsmenis.edu.pl

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: gbdrmwic - C:\WINDOWS\SYSTEM32\gbdrmwic.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

O23 - Service: Securom User Access for Windows 2000 and Windows XP a technology by Sony DADC (UserAccess) - Unknown owner - C:\PROGRAM FILES\COMMON FILES\YDP\USERACCESSMANAGER\useraccess.exe (file missing)

Gutek · 1 Listopad 2007 10:53

usu wopisy HJT plik ręcznie

Użyj VundoFix + Trojan.Vundo Removal Tool + VirtumundoBeGone.

Daj log z ComboFix

system · 5 Listopad 2007 14:41

Dziękuję bardzo. Wygląda, że jest wszystko w porządku. Usunąłem plik zaznaczony na czerwono programem VundoFix V6.5.11

Krzychuu · 5 Listopad 2007 14:53

pablo1000 jednak dla pewności daj tego loga z ComboFix.

system · 9 Listopad 2007 14:11

Witam.

Tak się zbierałem do wysłania loga z combofix, że sypnął się internet na komputerach stacyjkowych (czy może mieć to związek z tymi robakami, które opanowały kompa) Na żadnym kompie nie można wejść na administratora, a gdy się loguję na studenta, wyskakuje komunikat:

System Windows nie może zlokalizować na serwerze kopii twojego profilu

mobilnego i próbuje wykonać logowanie w twoim profilu lokalnym. Kiedy się

wylogujesz, zmiany tego profilu nie zostaną skopiowane na serwer. Możliwym

powodem tego błędu są problemy z siecią lub brak wystarczających praw

zabezpieczeń. Jeśli ten problem będzie się powtarzać, skontaktuj się z

administratorem sieci.

Jeśli mogę liczyć na pomoc to już z góry dziękuję.

Złączono Posta : 12.11.2007 (Pon) 17:03

ComboFix 07-11-05.2 - administrator 2007-11-12 16:54:11.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.201 [GMT 1:00]

Running from: C:\Documents and Settings\administrator\Pulpit\ochrona\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\student010d\Ulubione\Online Security Guide.lnk

.

((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))

.

2007-11-08 11:23

2007-11-06 12:40

2007-11-05 14:59

2007-10-31 16:55 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-10-25 19:38 35,840 -ra------ C:\WINDOWS\mrofinu1000137.exe

2007-10-25 08:30

2007-10-25 08:30 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

2007-10-25 08:30 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2007-10-25 08:30 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2007-10-25 08:30 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2007-10-25 08:30 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2007-10-24 15:33

2007-10-24 15:07

2007-10-24 14:46

2007-10-24 14:13

2007-10-22 12:14

2007-10-22 12:14 1,635 --a------ C:\Temp\enilef.exe

2007-10-17 13:31

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-19 13:58 85,504 ----a-w C:\WINDOWS\system32\pintool.exe

2007-10-19 13:58 61,952 ----a-w C:\WINDOWS\system32\HdAShCut.exe

2007-10-19 13:58 6,584,832 ----a-w C:\WINDOWS\system32\RTLCPL.EXE

2007-10-19 13:58 52,224 ----a-w C:\WINDOWS\system32\migpwd.exe

2007-10-19 13:58 483,328 ----a-w C:\WINDOWS\system32\igfxcfg.exe

2007-10-19 13:58 47,104 ----a-w C:\WINDOWS\system32\uwdf.exe

2007-10-19 13:58 454,928 ----a-w C:\WINDOWS\system32\EUROPA.SCR

2007-10-19 13:58 28,672 ----a-w C:\WINDOWS\system32\verclsid.exe

2007-10-19 13:58 22,752 ----a-w C:\WINDOWS\system32\spupdsvc.exe

2007-10-19 13:58 20,480 ----a-w C:\WINDOWS\system32\cliconfg.exe

2007-10-19 13:58 189,952 ----a-w C:\WINDOWS\system32\WISPTIS.EXE

2007-10-19 13:58 16,896 ----a-w C:\WINDOWS\system32\ibmwave.exe

2007-10-19 13:58 151,552 ----a-w C:\WINDOWS\system32\igfxdiag.exe

2007-10-19 13:58 118,784 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe

2007-10-19 13:58 114,688 ----a-w C:\WINDOWS\system32\igfxzoom.exe

2007-10-19 13:58 110,592 ----a-w C:\WINDOWS\system32\igfxext.exe

2007-10-19 13:57 327,168 ----a-w C:\WINDOWS\IsUn0415.exe

2007-10-19 13:57 305,152 ----a-w C:\WINDOWS\IsUninst.exe

2007-10-19 13:57 2,973,696 ----a-w C:\WINDOWS\UNNeroVision.exe

2007-10-19 13:57 2,920,448 ----a-w C:\WINDOWS\UNNMP.exe

2007-10-19 13:57 2,658,304 ----a-w C:\WINDOWS\UNNeroBurnRights.exe

2007-10-19 13:57 151,552 ----a-w C:\WINDOWS\nvchost.exe

2007-10-19 06:45 155,648 ----a-w C:\WINDOWS\system32\NeroCheck.exe

2007-10-19 06:45 155,648 ----a-w C:\WINDOWS\system32\igfxtray.exe

2007-10-19 06:45 --------- d-----w C:\Program Files\Windows Media Connect 2

2007-09-21 07:41 --------- d-----w C:\Documents and Settings\administrator\Dane aplikacji\Tibia

2005-05-11 22:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll

.

((((((((((((((((((((((((((((( snapshot@2007-10-31_17.16.22.96 )))))))))))))))))))))))))))))))))))))))))

.

2007-10-26 08:51:17 136,192 ----a-w C:\WINDOWS\catchme.exe

2007-10-29 17:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe

2007-04-02 13:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe

2007-07-22 17:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe

2007-10-31 16:15:12 901,120 ----a-w C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat

2007-11-12 15:56:08 950,272 ----a-w C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“SoundMan”=“SOUNDMAN.EXE” [2004-02-26 14:53 C:\WINDOWS\SOUNDMAN.EXE]

“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2007-10-19 07:45]

“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [2004-05-06 08:48]

“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2005-05-11 23:12]

“Synchronization Manager”=“C:\WINDOWS\system32\mobsync.exe” [2004-08-04 13:00]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [2005-11-10 13:03]

“SDTray”=“C:\Program Files\Spyware Doctor\SDTrayApp.exe” [2007-10-02 15:27]

“Anti Trojan Elite”=“C:\Program Files\Anti Trojan Elite\TJEnder.exe” []

“NI.UGA6P_0001_N122M2210”=“C:\Documents and Settings\administrator\Pulpit\install_en.exe” []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 13:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“disablecad”=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

“NoWelcomeScreen”=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-1641\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-1650\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-2149\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-2150\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-2590\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-2641\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-2642\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-2643\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-2644\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-2645\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-2646\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-2648\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-2649\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-2650\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-2651\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-2652\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-2653\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-2654\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-2680\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-2690\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-3140\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-3142\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-3145\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2106472956-637462658-1320264234-3151\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2756001398-2085459168-2910692662-2150\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2756001398-2085459168-2910692662-3211\Scripts\Logon\0\0]

“Script”=printer.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]

“C:\Program Files\BearShare\BearShare.exe” /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]

“C:\Program Files\Gadu-Gadu\gg.exe” /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Komunikator]

C:\Program Files\Tlen.pl\tlen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R2 FwcAgent;Firewall Client Agent;“C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe”

S3 ATE_PROCMON;ATE_PROCMON;??\C:\Program Files\Anti Trojan Elite\ATEPMon.sys

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{44BBA844-CC51-11CF-AAFA-00AA00B6015C}]

rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\CChat25.inf,PerUserAdd.NT

.

**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-12 16:56:20

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-11-12 16:57:17

C:\ComboFix2.txt … 2007-11-05 15:26

C:\ComboFix3.txt … 2007-10-31 17:17

.

— E O F —