WinAntivirus Pro - strony same się otwierają

meason · 23 Marzec 2007 12:23

Witam

MAm taki problem, że nagle ni stąd ni zowąd strony WinAntivirus Pro 2006 się otwierają. To chyba nie jest antywirus tylko wirus. Skanowałem kompa Avastem,Pandą 2007, Totamlscane i skanerem online mkswir. Nic nie wykryły, a przecież sam nie otwieram tych stron :?

Złączono Posta : 23.03.2007 (Pią) 13:26

Daje loga z HijackThis

Logfile of HijackThis v1.99.1 Scan saved at 13:25:56, on 2007-03-23 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\MSI\Live Update 3\LMonitor.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Multimedia Keyboard Driver\PS2USBKbdDrv.exe c:\program files\panda software\panda antivirus 2007\WebProxy.exe C:\PROGRA~1\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Lavalys\EVEREST Home Edition\everest.bin C:\Program Files\Panda Software\Panda Antivirus 2007\psimreal.exe C:\Documents and Settings\Meason\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O4 - HKLM…\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [sW20] C:\WINDOWS\system32\sw20.exe O4 - HKLM…\Run: [sW24] C:\WINDOWS\system32\sw24.exe O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [WireLessKeyboard] C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” O4 - HKLM…\Run: [2chkdsk] rundll32.exe “C:\WINDOWS\system32\nsmkgcax.dll”,setvm O4 - HKLM…\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [APVXDWIN] “C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE” /s O4 - HKLM…\Run: [soundService] rundll32.exe “C:\WINDOWS\system32\dkiighcr.dll”,setvm O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: http://mks.com.pl O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascinstie.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O17 - HKLM\System\CCS\Services\Tcpip…{17864ACA-DCB1-44CA-80A3-DAF62455F2F3}: NameServer = 194.204.159.1,80.72.32.6 O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

bolo11 · 23 Marzec 2007 13:14

To jest fałszywy antywirus, adware tylko nic nim nie skanuj .

adam9870 · 23 Marzec 2007 15:32

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:

C:\WINDOWS\system32\nsmkgcax.dll

C:\WINDOWS\system32\dkiighcr.dll

po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart. Jeśli po wklejeniu którejś ścieżki pojawi się błąd to nie przejmuj się nim tylko przejdź do wykonywania dalszych czynności.

Usuń wpisy HJT.

Użyj VundoFix + FixVundo + VirtumundoBeGone. Wszystkie narzędzia należy uruchomić będąc w trybie awaryjnym.

Użyj narzędzia SmitFraudFix z opcji numer 2 w trybie awaryjnym.

Po wykonaniu wklej log z SilentRunners i ComboFix oraz zawartość pliku c:\vundofix.txt

meason · 23 Marzec 2007 16:44

SilentRunners:

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “AudCtrl” = “RunDll32 AudCtrl.dll,RCMonitor” [MS] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “SW20” = “C:\WINDOWS\system32\sw20.exe” [empty string] “SW24” = “C:\WINDOWS\system32\sw24.exe” [null data] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] “WireLessKeyboard” = “C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe” [empty string] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “LiveMonitor” = “C:\Program Files\MSI\Live Update 3\LMonitor.exe” [empty string] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “APVXDWIN” = ““C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE” /s” [“Panda Software International”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] {7D60E31D-0829-4949-BC41-CB7AB452D653}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\rthfulkd.dll” [file not found] {D38439EC-4A7F-42b4-90C2-D810D7778FDD}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\ouuqvtfy.dll” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{A4DF5659-0801-4A60-9607-1C48695EFDA9}” = “Folder przesyłania Share-to-Web” -> {HKLM…CLSID} = “Folder przesyłania Share-to-Web” \InProcServer32(Default) = “C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL” [“Hewlett-Packard”] “{8BE13461-936F-11D1-A87D-444553540000}” = “Eraser Shell Extension” -> {HKLM…CLSID} = “Eraser Shell Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\erasext.dll” ["-"] “{65756541-C65C-11CD-0000-4B656E696100}” = “Panda Antivirus” -> {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Antivirus 2007\ShellTit.DLL” [“Panda Software International”] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> avldr\DLLName = “avldr.dll” [“Panda Software”] <> mllmk\DLLName = “C:\WINDOWS\system32\mllmk.dll” [file not found] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Erasext(Default) = “{8BE13461-936F-11D1-A87D-444553540000}” -> {HKLM…CLSID} = “Eraser Shell Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\erasext.dll” ["-"] Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” -> {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Antivirus 2007\ShellTit.DLL” [“Panda Software International”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Erasext(Default) = “{8BE13461-936F-11D1-A87D-444553540000}” -> {HKLM…CLSID} = “Eraser Shell Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\erasext.dll” ["-"] Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” -> {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Antivirus 2007\ShellTit.DLL” [“Panda Software International”] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Meason\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Program Files\Panda Software\Panda Antivirus 2007\pavlsp.dll [“Panda Software International”], 01 - 03, 19 %SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{74DD705D-6834-439C-A735-A6DBE2677452}” -> {HKLM…CLSID} = “&VSAdd-in” \InProcServer32(Default) = “C:\Program Files\VSAdd-in\VSAdd-in.dll” [file not found] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll” [“Sun Microsystems, Inc.”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] Panda anti-virus service, PAVSRV, ““C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe”” [“Panda Software International”] Panda IManager Service, PSIMSVC, ““C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe”” [“Panda Software”] Ulead Burning Helper, UleadBurningHelper, “C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe” [“Ulead Systems, Inc.”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 23 seconds. ---------- (total run time: 46 seconds)

ComboFix:

“Administrator” - 04-01-01 3:52:27 Dodatek Service Pack 2 ComboFix 07-03-22.2 - Running from: “C:\Documents and Settings\Administrator\Pulpit” (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\winsys.exe C:\Program Files\vsadd-in ((((((((((((((((((((((((((((((( Files Created from 2003-12-01 to 2004-01-01 )))))))))))))))))))))))))))))))))) 2004-01-01 06:18 280,676 --ahs---- C:\WINDOWS\system32\pmkjh.dll.vir 2004-01-01 06:10 6,702 --a------ C:\WINDOWS\system32\drivers\FlashSys.sys 2004-01-01 06:10 18,359 --a------ C:\WINDOWS\system32\Ntaccess.sys 2004-01-01 06:10 2004-01-01 03:45 45,056 --a------ C:\WINDOWS\system32\avldr.dll 2004-01-01 03:45 2004-01-01 03:45 2004-01-01 03:45 2004-01-01 03:31 1,582 --a------ C:\WINDOWS\system32\tmp.reg 2004-01-01 03:15 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2004-01-01 03:15 2004-01-01 03:15 2004-01-01 03:15 2004-01-01 03:15 2004-01-01 03:15 2004-01-01 03:15 2004-01-01 03:15 2004-01-01 03:04 2004-01-01 02:02 81,920 -ra------ C:\WINDOWS\SOUNDMAN.EXE 2004-01-01 02:02 40,960 -r------- C:\WINDOWS\system32\ChCfg.exe 2004-01-01 02:02 3,644,032 -ra------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS 2004-01-01 02:02 156,672 -ra------ C:\WINDOWS\system32\RTLCPAPI.dll 2004-01-01 02:02 10,458,112 -ra------ C:\WINDOWS\system32\RTLCPL.EXE 2004-01-01 02:02 2004-01-01 02:01 294,912 -r------- C:\WINDOWS\alcupd.exe 2004-01-01 02:01 200,704 -r------- C:\WINDOWS\alcrmv.exe 2004-01-01 01:58 2004-01-01 00:15 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-03-18 20:11 271360 --a------ C:\WINDOWS\system32\drivers\atksgt.sys 2007-03-18 20:11 18048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys 2007-03-15 18:29 82380 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS 2006-10-18 20:00 38528 --------- C:\WINDOWS\system32\drivers\wpdusb.sys 2006-09-28 19:00 82944 --------- C:\WINDOWS\system32\drivers\WudfRd.sys 2006-09-28 18:55 77568 --------- C:\WINDOWS\system32\drivers\WudfPf.sys 2006-08-21 10:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys 2006-08-16 10:37 225664 --a------ C:\WINDOWS\system32\drivers\tcpip6.sys 2006-08-14 11:34 332928 --a------ C:\WINDOWS\system32\drivers\srv.sys 2006-07-13 09:48 202240 --a------ C:\WINDOWS\system32\drivers\rmcast.sys 2006-06-14 10:00 82944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys 2006-06-14 09:47 6400 --a------ C:\WINDOWS\system32\drivers\splitter.sys 2006-06-14 09:47 172416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys 2006-05-05 10:47 174592 --a------ C:\WINDOWS\system32\drivers\rdbss.sys 2006-05-05 10:41 453120 --a------ C:\WINDOWS\system32\drivers\mrxsmb.sys 2006-04-20 12:51 359808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys 2006-03-17 01:33 262784 --a------ C:\WINDOWS\system32\drivers\http.sys 2006-02-22 10:43 71552 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys 2006-02-15 01:22 142464 --a------ C:\WINDOWS\system32\drivers\aec.sys 2005-10-10 14:49 3530432 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys 2005-06-28 02:24 163584 -ra------ C:\WINDOWS\system32\drivers\cx88vid.sys 2005-06-28 02:22 30976 -ra------ C:\WINDOWS\system32\drivers\cx88tune.sys 2005-06-28 02:21 9728 -ra------ C:\WINDOWS\system32\drivers\cxavxbar.sys 2005-06-10 05:11 139528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys 2005-05-17 10:45 92800 -ra------ C:\WINDOWS\system32\drivers\nvata.sys 2005-03-09 07:53 36352 -ra------ C:\WINDOWS\system32\drivers\AmdK8.sys 2004-09-29 23:28 134912 --a------ C:\WINDOWS\system32\drivers\ipnat.sys 2004-08-04 13:00 96256 --a------ C:\WINDOWS\system32\drivers\scsiport.sys 2004-08-04 13:00 9600 --a------ C:\WINDOWS\system32\drivers\ndistapi.sys 2004-08-04 13:00 95360 --a------ C:\WINDOWS\system32\drivers\atapi.sys 2004-08-04 13:00 92032 --a------ C:\WINDOWS\system32\drivers\ksecdd.sys 2004-08-04 13:00 91776 --a------ C:\WINDOWS\system32\drivers\ndiswan.sys 2004-08-04 13:00 88448 --a------ C:\WINDOWS\system32\drivers\nwlnkipx.sys 2004-08-04 13:00 8832 --a------ C:\WINDOWS\system32\drivers\rasacd.sys 2004-08-04 13:00 80256 --a------ C:\WINDOWS\system32\drivers\parport.sys 2004-08-04 13:00 800000 --a------ C:\WINDOWS\system32\drivers\dmboot.sys 2004-08-04 13:00 79744 --a------ C:\WINDOWS\system32\drivers\videoprt.sys 2004-08-04 13:00 7936 --a------ C:\WINDOWS\system32\drivers\fs_rec.sys 2004-08-04 13:00 7680 --a------ C:\WINDOWS\system32\drivers\mcd.sys 2004-08-04 13:00 74752 --a------ C:\WINDOWS\system32\drivers\ipsec.sys 2004-08-04 13:00 73472 --a------ C:\WINDOWS\system32\drivers\sr.sys 2004-08-04 13:00 71552 --a------ C:\WINDOWS\system32\drivers\bridge.sys 2004-08-04 13:00 71040 --a------ C:\WINDOWS\system32\drivers\dxg.sys 2004-08-04 13:00 69120 --a------ C:\WINDOWS\system32\drivers\psched.sys 2004-08-04 13:00 6912 --a------ C:\WINDOWS\system32\drivers\parvdm.sys 2004-08-04 13:00 67584 --a------ C:\WINDOWS\system32\drivers\sdbus.sys 2004-08-04 13:00 66176 --a------ C:\WINDOWS\system32\drivers\udfs.sys 2004-08-04 13:00 65664 --a------ C:\WINDOWS\system32\drivers\serial.sys 2004-08-04 13:00 63744 --a------ C:\WINDOWS\system32\drivers\mf.sys 2004-08-04 13:00 63744 --a------ C:\WINDOWS\system32\drivers\cdfs.sys 2004-08-04 13:00 63232 --a------ C:\WINDOWS\system32\drivers\nwlnknb.sys 2004-08-04 13:00 61824 --a------ C:\WINDOWS\system32\drivers\nic1394.sys 2004-08-04 13:00 61056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys 2004-08-04 13:00 60800 --a------ C:\WINDOWS\system32\drivers\arp1394.sys 2004-08-04 13:00 59904 --a------ C:\WINDOWS\system32\drivers\atmarpc.sys 2004-08-04 13:00 5888 --a------ C:\WINDOWS\system32\drivers\rootmdm.sys 2004-08-04 13:00 5888 --a------ C:\WINDOWS\system32\drivers\dmload.sys 2004-08-04 13:00 58112 --a------ C:\WINDOWS\system32\drivers\vdmindvd.sys 2004-08-04 13:00 57600 --a------ C:\WINDOWS\system32\drivers\usbhub.sys 2004-08-04 13:00 574592 --a------ C:\WINDOWS\system32\drivers\ntfs.sys 2004-08-04 13:00 55936 --a------ C:\WINDOWS\system32\drivers\nwlnkspx.sys 2004-08-04 13:00 55936 --a------ C:\WINDOWS\system32\drivers\atmlane.sys 2004-08-04 13:00 53504 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys 2004-08-04 13:00 53248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys 2004-08-04 13:00 52864 --a------ C:\WINDOWS\system32\drivers\volsnap.sys 2004-08-04 13:00 51712 --a------ C:\WINDOWS\system32\drivers\tosdvd.sys 2004-08-04 13:00 51328 --a------ C:\WINDOWS\system32\drivers\rasl2tp.sys 2004-08-04 13:00 49664 --a------ C:\WINDOWS\system32\drivers\classpnp.sys 2004-08-04 13:00 49536 --a------ C:\WINDOWS\system32\drivers\cdrom.sys 2004-08-04 13:00 48384 --a------ C:\WINDOWS\system32\drivers\raspptp.sys 2004-08-04 13:00 4736 --a------ C:\WINDOWS\system32\drivers\usbd.sys 2004-08-04 13:00 46592 --a------ C:\WINDOWS\system32\drivers\p3.sys 2004-08-04 13:00 4352 --a------ C:\WINDOWS\system32\drivers\wmilib.sys 2004-08-04 13:00 4352 --a------ C:\WINDOWS\system32\drivers\swenum.sys 2004-08-04 13:00 42240 --a------ C:\WINDOWS\system32\drivers\mountmgr.sys 2004-08-04 13:00 4224 --a------ C:\WINDOWS\system32\drivers\rdpcdd.sys 2004-08-04 13:00 4224 --a------ C:\WINDOWS\system32\drivers\mnmdd.sys 2004-08-04 13:00 4224 --a------ C:\WINDOWS\system32\drivers\beep.sys 2004-08-04 13:00 41856 --a------ C:\WINDOWS\system32\drivers\imapi.sys 2004-08-04 13:00 41472 --a------ C:\WINDOWS\system32\drivers\raspppoe.sys 2004-08-04 13:00 41472 --a------ C:\WINDOWS\system32\drivers\amdk7.sys 2004-08-04 13:00 41088 --a------ C:\WINDOWS\system32\drivers\amdk6.sys 2004-08-04 13:00 40704 --a------ C:\WINDOWS\system32\drivers\crusoe.sys 2004-08-04 13:00 40320 --a------ C:\WINDOWS\system32\drivers\nmnt.sys 2004-08-04 13:00 40320 --a------ C:\WINDOWS\system32\drivers\intelppm.sys 2004-08-04 13:00 39552 --a------ C:\WINDOWS\system32\drivers\processr.sys 2004-08-04 13:00 38016 --a------ C:\WINDOWS\system32\drivers\ndproxy.sys 2004-08-04 13:00 36352 --a------ C:\WINDOWS\system32\drivers\disk.sys 2004-08-04 13:00 36224 --a------ C:\WINDOWS\system32\drivers\isapnp.sys 2004-08-04 13:00 36224 --a------ C:\WINDOWS\system32\drivers\hidclass.sys 2004-08-04 13:00 352256 --a------ C:\WINDOWS\system32\drivers\atmuni.sys 2004-08-04 13:00 35072 --a------ C:\WINDOWS\system32\drivers\msgpc.sys 2004-08-04 13:00 35072 --a------ C:\WINDOWS\system32\drivers\fips.sys 2004-08-04 13:00 34560 --a------ C:\WINDOWS\system32\drivers\wanarp.sys 2004-08-04 13:00 34560 --a------ C:\WINDOWS\system32\drivers\netbios.sys 2004-08-04 13:00 3456 --a------ C:\WINDOWS\system32\drivers\pciide.sys 2004-08-04 13:00 3456 --a------ C:\WINDOWS\system32\drivers\oprghdlr.sys 2004-08-04 13:00 34432 --a------ C:\WINDOWS\system32\drivers\rawwan.sys 2004-08-04 13:00 3328 --a------ C:\WINDOWS\system32\drivers\dxgthk.sys 2004-08-04 13:00 32896 --a------ C:\WINDOWS\system32\drivers\ipfltdrv.sys 2004-08-04 13:00 32512 --a------ C:\WINDOWS\system32\drivers\nwlnkfwd.sys 2004-08-04 13:00 31360 --a------ C:\WINDOWS\system32\drivers\atmepvc.sys 2004-08-04 13:00 30848 --a------ C:\WINDOWS\system32\drivers\npfs.sys 2004-08-04 13:00 30208 --a------ C:\WINDOWS\system32\drivers\modem.sys 2004-08-04 13:00 30080 --a------ C:\WINDOWS\system32\drivers\rndismp.sys 2004-08-04 13:00 2944 --a------ C:\WINDOWS\system32\drivers\null.sys 2004-08-04 13:00 29056 --a------ C:\WINDOWS\system32\drivers\ip6fw.sys 2004-08-04 13:00 27440 --a------ C:\WINDOWS\system32\drivers\secdrv.sys 2004-08-04 13:00 27392 --a------ C:\WINDOWS\system32\drivers\fdc.sys 2004-08-04 13:00 26624 --a------ C:\WINDOWS\system32\drivers\usbehci.sys 2004-08-04 13:00 262528 --a------ C:\WINDOWS\system32\drivers\cinemst2.sys 2004-08-04 13:00 25472 --a------ C:\WINDOWS\system32\drivers\sonydcam.sys 2004-08-04 13:00 25088 --a------ C:\WINDOWS\system32\drivers\pciidex.sys 2004-08-04 13:00 24960 --a------ C:\WINDOWS\system32\drivers\kbdclass.sys 2004-08-04 13:00 24960 --a------ C:\WINDOWS\system32\drivers\hidparse.sys 2004-08-04 13:00 23936 --a------ C:\WINDOWS\system32\drivers\usbcamd2.sys 2004-08-04 13:00 23808 --a------ C:\WINDOWS\system32\drivers\usbcamd.sys 2004-08-04 13:00 23296 --a------ C:\WINDOWS\system32\drivers\mouclass.sys 2004-08-04 13:00 21896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys 2004-08-04 13:00 21376 --a------ C:\WINDOWS\system32\drivers\tsbvcap.sys 2004-08-04 13:00 20992 --a------ C:\WINDOWS\system32\drivers\vga.sys 2004-08-04 13:00 20992 --a------ C:\WINDOWS\system32\drivers\ipinip.sys 2004-08-04 13:00 209408 --a------ C:\WINDOWS\system32\drivers\update.sys 2004-08-04 13:00 20480 --a------ C:\WINDOWS\system32\drivers\flpydisk.sys 2004-08-04 13:00 19072 --a------ C:\WINDOWS\system32\drivers\msfs.sys 2004-08-04 13:00 188672 --a------ C:\WINDOWS\system32\drivers\acpi.sys 2004-08-04 13:00 18688 --a------ C:\WINDOWS\system32\drivers\partmgr.sys 2004-08-04 13:00 18688 --a------ C:\WINDOWS\system32\drivers\cdaudio.sys 2004-08-04 13:00 18560 --a------ C:\WINDOWS\system32\drivers\tdi.sys 2004-08-04 13:00 182912 --a------ C:\WINDOWS\system32\drivers\ndis.sys 2004-08-04 13:00 181248 --a------ C:\WINDOWS\system32\drivers\mrxdav.sys 2004-08-04 13:00 17792 --a------ C:\WINDOWS\system32\drivers\ptilink.sys 2004-08-04 13:00 17024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys 2004-08-04 13:00 16512 --a------ C:\WINDOWS\system32\drivers\raspti.sys 2004-08-04 13:00 162816 --a------ C:\WINDOWS\system32\drivers\netbt.sys 2004-08-04 13:00 16000 --a------ C:\WINDOWS\system32\drivers\usbintel.sys 2004-08-04 13:00 15488 --a------ C:\WINDOWS\system32\drivers\serenum.sys 2004-08-04 13:00 15488 --a------ C:\WINDOWS\system32\drivers\mssmbios.sys 2004-08-04 13:00 153856 --a------ C:\WINDOWS\system32\drivers\dmio.sys 2004-08-04 13:00 14976 --a------ C:\WINDOWS\system32\drivers\tape.sys 2004-08-04 13:00 14592 --a------ C:\WINDOWS\system32\drivers\smclib.sys 2004-08-04 13:00 143360 --a------ C:\WINDOWS\system32\drivers\fastfat.sys 2004-08-04 13:00 14336 --a------ C:\WINDOWS\system32\drivers\asyncmac.sys 2004-08-04 13:00 142976 --a------ C:\WINDOWS\system32\drivers\usbport.sys 2004-08-04 13:00 14208 --a------ C:\WINDOWS\system32\drivers\diskdump.sys 2004-08-04 13:00 13952 --a------ C:\WINDOWS\system32\drivers\cbidf2k.sys 2004-08-04 13:00 138496 --a------ C:\WINDOWS\system32\drivers\afd.sys 2004-08-04 13:00 12928 --a------ C:\WINDOWS\system32\drivers\ndisuio.sys 2004-08-04 13:00 12672 --a------ C:\WINDOWS\system32\drivers\usb8023.sys 2004-08-04 13:00 125568 --a------ C:\WINDOWS\system32\drivers\ftdisk.sys 2004-08-04 13:00 12416 --a------ C:\WINDOWS\system32\drivers\tunmp.sys 2004-08-04 13:00 12416 --a------ C:\WINDOWS\system32\drivers\nwlnkflt.sys 2004-08-04 13:00 12288 --a------ C:\WINDOWS\system32\drivers\fsvga.sys 2004-08-04 13:00 12040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys 2004-08-04 13:00 12032 --a------ C:\WINDOWS\system32\drivers\ws2ifsl.sys 2004-08-04 13:00 12032 --a------ C:\WINDOWS\system32\drivers\riodrv.sys 2004-08-04 13:00 12032 --a------ C:\WINDOWS\system32\drivers\rio8drv.sys 2004-08-04 13:00 12032 --a------ C:\WINDOWS\system32\drivers\nikedrv.sys 2004-08-04 13:00 12032 --a------ C:\WINDOWS\system32\drivers\acpiec.sys 2004-08-04 13:00 120064 --a------ C:\WINDOWS\system32\drivers\pcmcia.sys 2004-08-04 13:00 11776 --a------ C:\WINDOWS\system32\drivers\cpqdap01.sys 2004-08-04 13:00 11392 --a------ C:\WINDOWS\system32\drivers\sfloppy.sys 2004-08-04 13:00 11264 --a------ C:\WINDOWS\system32\drivers\irenum.sys 2004-08-04 13:00 11136 --a------ C:\WINDOWS\system32\drivers\sffdisk.sys 2004-08-04 13:00 107904 --a------ C:\WINDOWS\system32\drivers\mup.sys 2004-08-04 13:00 10496 --a------ C:\WINDOWS\system32\drivers\dxapi.sys 2004-08-04 13:00 10240 --a------ C:\WINDOWS\system32\drivers\sffp_sd.sys 2004-08-04 01:35 58624 --a------ C:\WINDOWS\system32\drivers\redbook.sys 2004-08-04 00:44 40840 --a------ C:\WINDOWS\system32\drivers\termdd.sys 2004-08-04 00:38 14848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys 2004-08-04 00:34 68608 --a------ C:\WINDOWS\system32\drivers\pci.sys 2004-08-03 23:15 60800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys 2004-08-03 23:15 145792 --a------ C:\WINDOWS\system32\drivers\portcls.sys 2004-08-03 23:15 140928 --a------ C:\WINDOWS\system32\drivers\ks.sys 2004-08-03 23:10 85376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys 2004-08-03 23:10 19328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS 2004-08-03 23:10 17024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys 2004-08-03 23:10 15360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys 2004-08-03 23:10 11136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys 2004-08-03 23:10 10880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys 2004-08-03 23:08 60288 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2004-08-03 23:08 48640 --a------ C:\WINDOWS\system32\drivers\stream.sys 2004-08-03 23:08 31616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2004-08-03 23:07 59264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys 2004-08-03 23:07 52864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys 2004-08-03 23:07 2944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys 2004-08-03 23:01 196864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys 2004-08-03 22:58 7552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys 2004-08-03 22:58 5504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys 2004-08-03 22:58 5376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2004-08-03 22:58 4992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys 2004-08-03 22:58 15104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2004-01-01 03:10 -------- d-------- C:\Program Files\multimedia keyboard driver 2004-01-01 03:10 -------- d-------- C:\Program Files\messenger 2004-01-01 03:10 -------- d-------- C:\Program Files\gadu-gadu 2004-01-01 01:16 -------- d-------- C:\Program Files\playlogic (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “AudCtrl”=“RunDll32 AudCtrl.dll,RCMonitor” “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” “nwiz”=“nwiz.exe /install” “SW20”=“C:\WINDOWS\system32\sw20.exe” “SW24”=“C:\WINDOWS\system32\sw24.exe” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” “WireLessKeyboard”=“C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe” “SunJavaUpdateSched”="“C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”" “LiveMonitor”=“C:\Program Files\MSI\Live Update 3\LMonitor.exe” “SoundMan”=“SOUNDMAN.EXE” “APVXDWIN”="“C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE” /s" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“eraser” “hkey”=“HKCU” “command”=“C:\Program Files\Eraser\eraser.exe -hide” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“fwupdate” “hkey”=“HKLM” “command”="“C:\Program Files\lg_fwupdate\fwupdate.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NeroCheck” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\NeroCheck.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“hpgs2wnd” “hkey”=“HKLM” “command”=“C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{C3AE80DC-CE36-41E6-A011-E498F909614B}”="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] “WPDShServiceObj”="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmk [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 04-01-01 3:53:17

VundoFix:

VundoFix V4.2.22 Scan started at 03:16:37 2004-01-01 Listing files found while scanning… C:\WINDOWS\system32\hjkmp.bak1 C:\WINDOWS\system32\hjkmp.bak2 C:\WINDOWS\system32\hjkmp.ini C:\WINDOWS\system32\pmkjh.dll C:\WINDOWS\system32\kmllm.bak1 C:\WINDOWS\system32\kmllm.bak2 C:\WINDOWS\system32\kmllm.ini VundoFix V4.2.22 Scan started at 03:24:37 2004-01-01 Listing files found while scanning… C:\WINDOWS\system32\hjkmp.bak1 C:\WINDOWS\system32\hjkmp.bak2 C:\WINDOWS\system32\hjkmp.ini C:\WINDOWS\system32\kmllm.bak1 C:\WINDOWS\system32\kmllm.bak2 C:\WINDOWS\system32\kmllm.ini Attempting to delete C:\WINDOWS\system32\hjkmp.bak1 C:\WINDOWS\system32\hjkmp.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\hjkmp.bak2 C:\WINDOWS\system32\hjkmp.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system32\hjkmp.ini C:\WINDOWS\system32\hjkmp.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\kmllm.bak1 C:\WINDOWS\system32\kmllm.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\kmllm.bak2 C:\WINDOWS\system32\kmllm.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system32\kmllm.ini C:\WINDOWS\system32\kmllm.ini Has been deleted! Performing Repairs to the registry. Done! VundoFix V4.2.22 Scan started at 03:28:35 2004-01-01 Listing files found while scanning… No infected files were found. VundoFix V4.2.22 Scan started at 03:30:31 2004-01-01 Listing files found while scanning… No infected files were found.

Dzięki za pomoc. Czy pomogło jeszcze nie wiem

adam9870 · 23 Marzec 2007 17:55

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:

C:\WINDOWS\system32\pmkjh.dll.vir

Klikasz X czerwony i restart kompa.

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Po wykonaniu wklej nowy log z Hijacka, Silenta i Combo.

meason · 23 Marzec 2007 19:03

Logfile of HijackThis v1.99.1 Scan saved at 20:01, on 07-03-23 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\MSI\Live Update 3\LMonitor.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Multimedia Keyboard Driver\PS2USBKbdDrv.exe c:\program files\panda software\panda antivirus 2007\WebProxy.exe C:\PROGRA~1\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Meason\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O4 - HKLM…\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [sW20] C:\WINDOWS\system32\sw20.exe O4 - HKLM…\Run: [sW24] C:\WINDOWS\system32\sw24.exe O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [WireLessKeyboard] C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” O4 - HKLM…\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [APVXDWIN] “C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE” /s O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: http://mks.com.pl O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascinstie.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O17 - HKLM\System\CCS\Services\Tcpip…{17864ACA-DCB1-44CA-80A3-DAF62455F2F3}: NameServer = 194.204.159.1,80.72.32.6 O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “AudCtrl” = “RunDll32 AudCtrl.dll,RCMonitor” [MS] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “SW20” = “C:\WINDOWS\system32\sw20.exe” [empty string] “SW24” = “C:\WINDOWS\system32\sw24.exe” [null data] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] “WireLessKeyboard” = “C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe” [empty string] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “LiveMonitor” = “C:\Program Files\MSI\Live Update 3\LMonitor.exe” [empty string] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “APVXDWIN” = ““C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE” /s” [“Panda Software International”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{A4DF5659-0801-4A60-9607-1C48695EFDA9}” = “Folder przesyłania Share-to-Web” -> {HKLM…CLSID} = “Folder przesyłania Share-to-Web” \InProcServer32(Default) = “C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL” [“Hewlett-Packard”] “{8BE13461-936F-11D1-A87D-444553540000}” = “Eraser Shell Extension” -> {HKLM…CLSID} = “Eraser Shell Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\erasext.dll” ["-"] “{65756541-C65C-11CD-0000-4B656E696100}” = “Panda Antivirus” -> {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Antivirus 2007\ShellTit.DLL” [“Panda Software International”] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> avldr\DLLName = “avldr.dll” [“Panda Software”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Erasext(Default) = “{8BE13461-936F-11D1-A87D-444553540000}” -> {HKLM…CLSID} = “Eraser Shell Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\erasext.dll” ["-"] Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” -> {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Antivirus 2007\ShellTit.DLL” [“Panda Software International”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Erasext(Default) = “{8BE13461-936F-11D1-A87D-444553540000}” -> {HKLM…CLSID} = “Eraser Shell Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\erasext.dll” ["-"] Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” -> {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Antivirus 2007\ShellTit.DLL” [“Panda Software International”] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Meason\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Program Files\Panda Software\Panda Antivirus 2007\pavlsp.dll [“Panda Software International”], 01 - 03, 19 %SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll” [“Sun Microsystems, Inc.”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): : ˙ţ[V e r s i o n] : S i g n a t u r e = " $ C H I C A G O $ " : A d v a n c e d I N F = 2 . 5 , " Y o u n e e d a n e w v e r s i o n o f a d v p a c k . d l l " : : [R e s t o r e H o m e P a g e] : A d d R e g = R e s t o r e H o m e P a g e . r e g : : [R e s t o r e B r o w s e r S e t t i n g s] : A d d R e g = R e s t o r e B r o w s e r S e t t i n g s . r e g : D e l R e g = D e l e t e T e m p l a t e s . r e g , D e l e t e A u t o s e a r c h . r e g : : [R e s t o r e H o m e P a g e . r e g] : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S t a r t P a g e " , 0 , % S T A R T _ P A G E _ U R L % : : [R e s t o r e B r o w s e r S e t t i n g s . r e g] : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ P a g e _ U R L " , 0 , % S T A R T _ P A G E _ U R L % : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ S e a r c h _ U R L " , 0 , % S E A R C H _ P A G E _ U R L % : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L % : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 1 " , 0 , " w w w . % s . c o m " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 2 " , 0 , " w w w . % s . o r g " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 3 " , 0 , " w w w . % s . n e t " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 4 " , 0 , " w w w . % s . e d u " : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L % : : ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 - a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ S e a r c h U r l " , " P r o v i d e r " , 0 , " " : : t m " : t m " : H K L M , " S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ I n t e r n e t S e t t i n g s \ S a f e S i t e s " , % S A F E S I T E _ V A L U E % , 0 , " h t t p : / / i e . s e a r c h . m s n . c o m / * " : : [D e l e t e T e m p l a t e s . r e g] : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 5 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 6 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 7 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 8 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 9 " : : [D e l e t e A u t o s e a r c h . r e g] : ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 - a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " A u t o S e a r c h " : : [S t r i n g s] : S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e " : S E A R C H _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & a r = i e s e a r c h " : S A F E S I T E _ V A L U E = " i e . s e a r c h . m s n . c o m " : : ; I M P O R T A N T N O T E : : ; I E b r a n d i n g d l l ( i e d k c s 3 2 . d l l ) u s e s t h e f o l l o w i n g e n t r i e s t o r e s t o r e t h e d e f a u l t M S v a l u e s . : ; I n t h e v a n i l l a v e r s i o n o f I E , t h e v a l u e s m u s t b e t h e s a m e a s t h e i r c o r r e s p o n d i n g n o n M S _ * v a l u e s . : ; F o r e x a m p l e , S T A R T _ P A G E _ U R L a n d M S _ S T A R T _ P A G E _ U R L m u s t h a v e t h e s a m e U R L i n t h e I E v e r s i o n r e l e a s e d b y M S . : M S _ S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e " : Missing lines (compared with English-language version): [Version]: 2 lines [RestoreHomePage]: 1 line [RestoreHomePage.reg]: 1 line [RestoreBrowserSettings.reg]: 12 lines [DeleteTemplates.reg]: 5 lines [DeleteAutosearch.reg]: 1 line [strings]: 1 line [RestoreBrowserSettings]: 2 lines [strings]: 3 lines Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] Panda anti-virus service, PAVSRV, ““C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe”” [“Panda Software International”] Panda IManager Service, PSIMSVC, ““C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe”” [“Panda Software”] Ulead Burning Helper, UleadBurningHelper, “C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe” [“Ulead Systems, Inc.”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 25 seconds. ---------- (total run time: 49 seconds)

“Administrator” - 07-03-23 19:58:11 Dodatek Service Pack 2 ComboFix 07-03-22.2 - Running from: “C:\Documents and Settings\Administrator\Pulpit” ((((((((((((((((((((((((((((((( Files Created from 2007-02-23 to 2007-03-23 )))))))))))))))))))))))))))))))))) 2007-03-23 19:58 2007-03-22 12:50 2007-03-20 20:41 2007-03-19 11:00 610,304 --a------ C:\WINDOWS\system32\eraser.dll 2007-03-19 11:00 282,624 --a------ C:\WINDOWS\system32\erasext.dll 2007-03-19 11:00 233,472 --a------ C:\WINDOWS\system32\eraserl.exe 2007-03-19 11:00 2007-03-19 10:36 2007-03-19 09:24 2007-03-19 09:24 2007-03-19 09:23 2007-03-18 20:57 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll 2007-03-18 20:57 2007-03-18 20:31 2007-03-18 20:27 2007-03-18 20:11 271,360 --a------ C:\WINDOWS\system32\drivers\atksgt.sys 2007-03-18 20:11 18,048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys 2007-03-18 20:10 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll 2007-03-18 20:10 2007-03-18 20:06 2007-03-18 20:06 2007-03-18 19:42 2007-03-18 19:41 2007-03-18 19:41 2007-03-18 19:41 2007-03-18 19:39 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2007-03-18 19:38 2007-03-18 19:35 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll 2007-03-18 19:35 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-03-18 19:35 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-03-18 19:35 2007-03-18 19:31 2007-03-17 15:42 2007-03-17 15:41 2007-03-17 15:41 2007-03-17 15:37 30,976 -ra------ C:\WINDOWS\system32\drivers\cx88tune.sys 2007-03-17 15:36 9,728 -ra------ C:\WINDOWS\system32\drivers\cxavxbar.sys 2007-03-17 15:30 796,672 --a------ C:\WINDOWS\GPInstall.exe 2007-03-17 15:30 2007-03-17 15:25 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys 2007-03-17 15:25 54,784 --a------ C:\WINDOWS\system32\vfwwdm32.dll 2007-03-17 15:25 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys 2007-03-17 15:25 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS 2007-03-17 15:25 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys 2007-03-17 15:25 163,584 -ra------ C:\WINDOWS\system32\drivers\cx88vid.sys 2007-03-17 15:25 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys 2007-03-17 15:25 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys 2007-03-17 15:25 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys 2007-03-16 19:39 2007-03-16 13:28 2007-03-16 11:56 2007-03-15 20:56 2007-03-15 20:56 2007-03-15 20:55 2007-03-15 20:50 2007-03-15 18:33 2007-03-15 18:32 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2007-03-15 18:30 2007-03-15 18:30 2007-03-15 18:30 2007-03-15 18:29 82,380 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS 2007-03-15 18:29 2007-03-15 13:44 2007-03-14 12:32 2007-03-13 16:55 2007-03-13 16:55 2007-03-13 12:59 2007-03-13 12:59 2007-03-13 12:57 21,504 --a------ C:\WINDOWS\system32\hidserv.dll 2007-03-13 12:57 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys 2007-03-12 17:05 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe 2007-03-12 17:05 2007-03-12 17:05 2007-03-12 16:42 9,728 -ra------ C:\WINDOWS\system32\sysinfoX64.sys 2007-03-12 16:42 8,192 -ra------ C:\WINDOWS\system32\sysinfo.sys 2007-03-12 16:42 69,632 -ra------ C:\WINDOWS\system32\sw24.exe 2007-03-12 16:42 53,248 -ra------ C:\WINDOWS\system32\Nvgpio.dll 2007-03-12 16:42 200,704 -ra------ C:\WINDOWS\system32\sw20.exe 2007-03-12 16:42 114,688 -ra------ C:\WINDOWS\system32\sysinfo.dll 2007-03-12 16:42 1,409,024 -ra------ C:\WINDOWS\system32\msicpl.dll 2007-03-12 14:18 2007-03-12 14:14 2007-03-12 13:26 2007-03-12 12:55 2007-03-12 12:54 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys 2007-03-12 12:54 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2007-03-12 12:53 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2007-03-12 12:53 77,312 --a------ C:\WINDOWS\system32\usbui.dll 2007-03-12 12:53 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys 2007-03-12 12:53 58,624 --a------ C:\WINDOWS\system32\drivers\redbook.sys 2007-03-12 12:52 2007-03-12 12:52 2007-03-12 12:51 9,936 --a------ C:\WINDOWS\system\LZEXPAND.DLL 2007-03-12 12:51 9,168 --a------ C:\WINDOWS\system\VER.DLL 2007-03-12 12:51 85,532 --a------ C:\WINDOWS\system32\dgsetup.dll 2007-03-12 12:51 83,456 --a------ C:\WINDOWS\system\OLECLI.DLL 2007-03-12 12:51 8,704 --a------ C:\WINDOWS\system32\batt.dll 2007-03-12 12:51 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll 2007-03-12 12:51 75,776 --a------ C:\WINDOWS\system32\storprop.dll 2007-03-12 12:51 70,144 --a------ C:\WINDOWS\NOTEPAD.EXE 2007-03-12 12:51 70,096 --a------ C:\WINDOWS\system\AVICAP.DLL 2007-03-12 12:51 7,168 --a------ C:\WINDOWS\system32\kbdcz.dll 2007-03-12 12:51 69,552 --a------ C:\WINDOWS\system\MMSYSTEM.DLL 2007-03-12 12:51 6,656 -ra------ C:\WINDOWS\system32\kbdhela3.dll 2007-03-12 12:51 6,656 --a------ C:\WINDOWS\system32\kbdycl.dll 2007-03-12 12:51 6,656 --a------ C:\WINDOWS\system32\kbdsl1.dll 2007-03-12 12:51 6,656 --a------ C:\WINDOWS\system32\kbdsl.dll 2007-03-12 12:51 6,656 --a------ C:\WINDOWS\system32\kbdhu.dll 2007-03-12 12:51 6,656 --a------ C:\WINDOWS\system32\kbdcz2.dll 2007-03-12 12:51 6,656 --a------ C:\WINDOWS\system32\kbdcz1.dll 2007-03-12 12:51 6,656 --a------ C:\WINDOWS\system32\kbdcr.dll 2007-03-12 12:51 6,656 --a------ C:\WINDOWS\system32\KBDAL.DLL 2007-03-12 12:51 6,144 -ra------ C:\WINDOWS\system32\kbdtuq.dll 2007-03-12 12:51 6,144 -ra------ C:\WINDOWS\system32\kbdtuf.dll 2007-03-12 12:51 6,144 -ra------ C:\WINDOWS\system32\kbdlv1.dll 2007-03-12 12:51 6,144 -ra------ C:\WINDOWS\system32\kbdlv.dll 2007-03-12 12:51 6,144 -ra------ C:\WINDOWS\system32\kbdhela2.dll 2007-03-12 12:51 6,144 -ra------ C:\WINDOWS\system32\kbdgkl.dll 2007-03-12 12:51 6,144 -ra------ C:\WINDOWS\system32\kbdest.dll 2007-03-12 12:51 5,632 -ra------ C:\WINDOWS\system32\kbdmon.dll 2007-03-12 12:51 5,632 -ra------ C:\WINDOWS\system32\kbdlt1.dll 2007-03-12 12:51 5,632 -ra------ C:\WINDOWS\system32\kbdlt.dll 2007-03-12 12:51 5,632 -ra------ C:\WINDOWS\system32\kbdkyr.dll 2007-03-12 12:51 5,632 -ra------ C:\WINDOWS\system32\kbdhe319.dll 2007-03-12 12:51 5,632 -ra------ C:\WINDOWS\system32\kbdhe220.dll 2007-03-12 12:51 5,632 -ra------ C:\WINDOWS\system32\kbdhe.dll 2007-03-12 12:51 5,632 -ra------ C:\WINDOWS\system32\kbdazel.dll 2007-03-12 12:51 5,632 --a------ C:\WINDOWS\system32\kbdro.dll 2007-03-12 12:51 5,632 --a------ C:\WINDOWS\system32\kbdhu1.dll 2007-03-12 12:51 5,120 --a------ C:\WINDOWS\system\SHELL.DLL 2007-03-12 12:51 33,376 --a------ C:\WINDOWS\system\COMMDLG.DLL 2007-03-12 12:51 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll 2007-03-12 12:51 24,064 --a------ C:\WINDOWS\system\OLESVR.DLL 2007-03-12 12:51 19,200 --a------ C:\WINDOWS\system\TAPI.DLL 2007-03-12 12:51 176,157 --a------ C:\WINDOWS\system32\dgrpsetu.dll 2007-03-12 12:51 15,360 --a------ C:\WINDOWS\TASKMAN.EXE 2007-03-12 12:51 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2007-03-12 12:51 127,008 --a------ C:\WINDOWS\system\MSVIDEO.DLL 2007-03-12 12:51 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys 2007-03-12 12:51 109,488 --a------ C:\WINDOWS\system\AVIFILE.DLL 2007-03-12 12:51 103,424 --a------ C:\WINDOWS\system32\EqnClass.Dll 2007-03-12 12:51 2007-03-12 12:51 2007-03-12 12:51 2007-03-12 12:51 2007-03-12 12:51 2007-03-12 12:51 2007-03-12 12:51 2007-03-12 12:51 2007-03-12 12:51 2007-03-12 12:51 2007-03-12 12:51 2007-03-12 12:51 2007-03-12 12:51 2007-03-12 12:51 2007-03-12 12:51 2007-03-12 12:51 2007-03-12 12:51 2007-03-12 12:50 2007-03-12 12:50 2007-03-12 12:48 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:44 2007-03-12 12:42 1,423 --a------ C:\WINDOWS\mozver.dat 2007-03-12 12:29 0 --a------ C:\WINDOWS\nsreg.dat 2007-03-12 12:29 2007-03-12 12:28 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll 2007-03-12 12:28 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll 2007-03-12 12:28 6,144 --a------ C:\WINDOWS\system32\kbd106.dll 2007-03-12 12:28 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll 2007-03-12 12:28 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll 2007-03-12 12:28 5,632 --a------ C:\WINDOWS\system32\kbd103.dll 2007-03-12 12:23 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys 2007-03-12 12:23 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys 2007-03-12 12:23 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys 2007-03-12 12:23 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2007-03-12 12:23 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys 2007-03-12 12:23 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys 2007-03-12 12:23 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys 2007-03-12 12:23 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys 2007-03-12 12:23 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2007-03-12 12:23 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys 2007-03-12 12:23 4,096 --a------ C:\WINDOWS\system32\ksuser.dll 2007-03-12 12:23 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2007-03-12 12:23 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys 2007-03-12 12:23 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys 2007-03-12 12:23 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys 2007-03-12 12:23 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys 2007-03-12 12:19 306,688 --a------ C:\WINDOWS\IsUninst.exe 2007-03-12 12:19 2007-03-12 12:19 2007-03-12 12:19 2007-03-12 12:19 2007-03-12 12:19 2007-03-12 12:18 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll 2007-03-12 12:18 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll 2007-03-12 12:18 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll 2007-03-12 12:18 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe 2007-03-12 12:18 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll 2007-03-12 12:18 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll 2007-03-12 12:18 2007-03-12 12:17 40,960 --a------ C:\Program Files\Uninstall_CDS.exe 2007-03-12 12:17 2007-03-12 12:17 2007-03-12 12:15 102,912 --------- C:\WINDOWS\system32\Vb6stkit.dll 2007-03-12 12:15 102,160 --------- C:\WINDOWS\system32\VB6KO.DLL 2007-03-12 12:15 2007-03-12 12:13 92,800 -ra------ C:\WINDOWS\system32\drivers\nvata.sys 2007-03-12 12:13 300,032 -ra------ C:\WINDOWS\system32\idecoi.dll 2007-03-12 12:12 36,352 -ra------ C:\WINDOWS\system32\drivers\AmdK8.sys 2007-03-12 12:12 2007-03-12 12:10 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE 2007-03-12 12:10 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe 2007-03-12 12:10 2007-03-12 12:09 2007-03-12 12:06 229,376 --ah----- C:\DOCUME~1\LOCALS~1\NTUSER.DAT 2007-03-12 12:06 2,883,584 --ah----- C:\DOCUME~1\Meason\NTUSER.DAT 2007-03-12 12:06 2007-03-12 12:06 2007-03-12 12:06 2007-03-12 12:06 2007-03-12 12:06 2007-03-12 12:06 2007-03-12 12:06 2007-03-12 12:06 2007-03-12 12:06 2007-03-12 12:06 2007-03-12 12:06 2007-03-12 12:05 229,376 --ah----- C:\DOCUME~1\NETWOR~1\NTUSER.DAT 2007-03-12 12:05 2007-03-12 12:05 2007-03-12 12:03 229,376 —h----- C:\DOCUME~1\DEFAUL~1\NTUSER.DAT 2007-03-12 12:03 112,128 --a------ C:\WINDOWS\system32\mapi32.dll 2007-03-12 12:03 0 -rahs---- C:\MSDOS.SYS 2007-03-12 12:03 0 -rahs---- C:\IO.SYS 2007-03-12 12:03 0 --a------ C:\CONFIG.SYS 2007-03-12 12:03 0 --a------ C:\AUTOEXEC.BAT 2007-03-12 12:03 2007-03-12 12:03 2007-03-12 12:02 2007-03-12 12:02 2007-03-12 12:02 2007-03-12 12:02 2007-03-12 12:02 2007-03-12 12:02 2007-03-12 12:01 86,016 --a------ C:\WINDOWS\system32\isign32.dll 2007-03-12 12:01 81,920 --a------ C:\WINDOWS\system32\ils.dll 2007-03-12 12:01 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll 2007-03-12 12:01 73,728 --a------ C:\WINDOWS\system32\icwdial.dll 2007-03-12 12:01 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys 2007-03-12 12:01 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll 2007-03-12 12:01 69,632 --a------ C:\WINDOWS\system32\msconf.dll 2007-03-12 12:01 679,424 --a------ C:\WINDOWS\system32\inetcomm.dll 2007-03-12 12:01 67,584 --a------ C:\WINDOWS\system32\srclient.dll 2007-03-12 12:01 67,584 --a------ C:\WINDOWS\system32\acctres.dll 2007-03-12 12:01 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll 2007-03-12 12:01 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll 2007-03-12 12:01 49,664 --a------ C:\WINDOWS\system32\inetres.dll 2007-03-12 12:01 466,200 --a------ C:\WINDOWS\system32\wuapi.dll 2007-03-12 12:01 45,568 --a------ C:\WINDOWS\system32\safrslv.dll 2007-03-12 12:01 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll 2007-03-12 12:01 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll 2007-03-12 12:01 41,240 --a------ C:\WINDOWS\system32\wups.dll 2007-03-12 12:01 382,464 --a------ C:\WINDOWS\system32\qmgr.dll 2007-03-12 12:01 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll 2007-03-12 12:01 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe 2007-03-12 12:01 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll 2007-03-12 12:01 29,696 --a------ C:\WINDOWS\system32\safrdm.dll 2007-03-12 12:01 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll 2007-03-12 12:01 278,528 --a------ C:\WINDOWS\system32\mstask.dll 2007-03-12 12:01 278,528 --a------ C:\WINDOWS\system32\inetcfg.dll 2007-03-12 12:01 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll 2007-03-12 12:01 240,128 --a------ C:\WINDOWS\system32\srrstr.dll 2007-03-12 12:01 23,040 --a------ C:\WINDOWS\system32\fltmc.exe 2007-03-12 12:01 195,352 --a------ C:\WINDOWS\system32\wuaueng1.dll 2007-03-12 12:01 192,000 --a------ C:\WINDOWS\system32\schedsvc.dll 2007-03-12 12:01 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll 2007-03-12 12:01 175,384 --a------ C:\WINDOWS\system32\wuauclt1.exe 2007-03-12 12:01 173,536 --a------ C:\WINDOWS\system32\wuweb.dll 2007-03-12 12:01 171,008 --a------ C:\WINDOWS\system32\srsvc.dll 2007-03-12 12:01 16,896 --a------ C:\WINDOWS\system32\fltlib.dll 2007-03-12 12:01 16,384 --a------ C:\WINDOWS\system32\icfgnt5.dll 2007-03-12 12:01 128,896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys 2007-03-12 12:01 128,280 --a------ C:\WINDOWS\system32\wucltui.dll 2007-03-12 12:01 125,208 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-03-12 12:01 12,288 --a------ C:\WINDOWS\system32\nmevtmsg.dll 2007-03-12 12:01 12,288 --a------ C:\WINDOWS\system32\mstinit.exe 2007-03-12 12:01 11,264 --a------ C:\WINDOWS\system32\atrace.dll 2007-03-12 12:01 105,984 --a------ C:\WINDOWS\system32\msoert2.dll 2007-03-12 12:01 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-03-12 12:01 2007-03-12 12:01 2007-03-12 12:01 2007-03-12 12:01 2007-03-12 12:01 2007-03-12 12:01 2007-03-12 12:00 5,632 --a------ C:\WINDOWS\system32\write.exe 2007-03-12 12:00 21,856 --a------ C:\WINDOWS\system32\emptyregdb.dat 2007-03-12 12:00 2007-03-12 12:00 2007-03-12 12:00 2007-03-12 11:59 97,792 --a------ C:\WINDOWS\system32\comrepl.dll 2007-03-12 11:59 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll 2007-03-12 11:59 94,720 --a------ C:\WINDOWS\system32\tscfgwmi.dll 2007-03-12 11:59 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll 2007-03-12 11:59 9,728 --a------ C:\WINDOWS\system32\reset.exe 2007-03-12 11:59 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll 2007-03-12 11:59 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll 2007-03-12 11:59 80,896 --a------ C:\WINDOWS\system32\charmap.exe 2007-03-12 11:59 73,216 --a------ C:\WINDOWS\system32\avwav.dll 2007-03-12 11:59 67,072 --a------ C:\WINDOWS\system32\rdshost.exe 2007-03-12 11:59 655,360 --a------ C:\WINDOWS\system32\mstscax.dll 2007-03-12 11:59 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll 2007-03-12 11:59 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe 2007-03-12 11:59 605,696 --a------ C:\WINDOWS\system32\getuname.dll 2007-03-12 11:59 60,928 --a------ C:\WINDOWS\system32\remotepg.dll 2007-03-12 11:59 60,416 --a------ C:\WINDOWS\system32\colbact.dll 2007-03-12 11:59 6,144 --a------ C:\WINDOWS\system32\msdtc.exe 2007-03-12 11:59 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll 2007-03-12 11:59 58,880 --a------ C:\WINDOWS\system32\licwmi.dll 2007-03-12 11:59 57,344 --a------ C:\WINDOWS\system32\sol.exe 2007-03-12 11:59 56,320 --a------ C:\WINDOWS\system32\servdeps.dll 2007-03-12 11:59 55,808 --a------ C:\WINDOWS\system32\freecell.exe 2007-03-12 11:59 540,160 --a------ C:\WINDOWS\system32\comuid.dll 2007-03-12 11:59 54,272 --a------ C:\WINDOWS\system32\stclient.dll 2007-03-12 11:59 539,136 --a------ C:\WINDOWS\system32\spider.exe 2007-03-12 11:59 5,120 --a------ C:\WINDOWS\system32\dcomcnfg.exe 2007-03-12 11:59 498,688 --a------ C:\WINDOWS\system32\clbcatq.dll 2007-03-12 11:59 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe 2007-03-12 11:59 44,544 --a------ C:\WINDOWS\system32\hticons.dll 2007-03-12 11:59 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll 2007-03-12 11:59 408,576 --a------ C:\WINDOWS\system32\mstsc.exe 2007-03-12 11:59 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys 2007-03-12 11:59 4,608 --a------ C:\WINDOWS\system32\rdpcfgex.dll 2007-03-12 11:59 4,096 --a------ C:\WINDOWS\system32\mtxex.dll 2007-03-12 11:59 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll 2007-03-12 11:59 351,744 --a------ C:\WINDOWS\system32\hypertrm.dll 2007-03-12 11:59 35,328 --a------ C:\WINDOWS\system32\winchat.exe 2007-03-12 11:59 345,088 --a------ C:\WINDOWS\system32\mspaint.exe 2007-03-12 11:59 33,792 --a------ C:\WINDOWS\system32\regini.exe 2007-03-12 11:59 296,448 --a------ C:\WINDOWS\system32\termsrv.dll 2007-03-12 11:59 25,600 --a------ C:\WINDOWS\system32\comaddin.dll 2007-03-12 11:59 25,088 --a------ C:\WINDOWS\system32\mtxlegih.dll 2007-03-12 11:59 231,424 --a------ C:\WINDOWS\system32\avtapi.dll 2007-03-12 11:59 225,792 --a------ C:\WINDOWS\system32\catsrv.dll 2007-03-12 11:59 22,528 --a------ C:\WINDOWS\system32\qwinsta.exe 2007-03-12 11:59 22,528 --a------ C:\WINDOWS\system32\msg.exe 2007-03-12 11:59 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys 2007-03-12 11:59 20,992 --a------ C:\WINDOWS\system32\qprocess.exe 2007-03-12 11:59 20,480 --a------ C:\WINDOWS\system32\mtxdm.dll 2007-03-12 11:59 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys 2007-03-12 11:59 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll 2007-03-12 11:59 187,904 --a------ C:\WINDOWS\system32\cmprops.dll 2007-03-12 11:59 187,904 --a------ C:\WINDOWS\system32\accwiz.exe 2007-03-12 11:59 17,920 --a------ C:\WINDOWS\system32\tsshutdn.exe 2007-03-12 11:59 17,920 --a------ C:\WINDOWS\system32\mmfutil.dll 2007-03-12 11:59 17,408 --a------ C:\WINDOWS\system32\qappsrv.exe 2007-03-12 11:59 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll 2007-03-12 11:59 16,384 --a------ C:\WINDOWS\system32\tskill.exe 2007-03-12 11:59 16,384 --a------ C:\WINDOWS\system32\rwinsta.exe 2007-03-12 11:59 16,384 --a------ C:\WINDOWS\system32\avmeter.dll 2007-03-12 11:59 15,872 --a------ C:\WINDOWS\system32\logoff.exe 2007-03-12 11:59 15,872 --a------ C:\WINDOWS\system32\cdmodem.dll 2007-03-12 11:59 15,360 --a------ C:\WINDOWS\system32\tsdiscon.exe 2007-03-12 11:59 15,360 --a------ C:\WINDOWS\system32\tscon.exe 2007-03-12 11:59 15,360 --a------ C:\WINDOWS\system32\shadow.exe 2007-03-12 11:59 147,968 --a------ C:\WINDOWS\system32\rdchost.dll 2007-03-12 11:59 147,456 --a------ C:\WINDOWS\system32\comsnap.dll 2007-03-12 11:59 141,824 --a------ C:\WINDOWS\system32\sessmgr.exe 2007-03-12 11:59 139,528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys 2007-03-12 11:59 139,264 --a------ C:\WINDOWS\system32\sndvol32.exe 2007-03-12 11:59 132,608 --a------ C:\WINDOWS\system32\sndrec32.exe 2007-03-12 11:59 13,824 --a------ C:\WINDOWS\system32\rdsaddin.exe 2007-03-12 11:59 128,000 --a------ C:\WINDOWS\system32\mshearts.exe 2007-03-12 11:59 124,928 --a------ C:\WINDOWS\system32\mplay32.exe 2007-03-12 11:59 12,040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys 2007-03-12 11:59 119,808 --a------ C:\WINDOWS\system32\winmine.exe 2007-03-12 11:59 115,200 --a------ C:\WINDOWS\system32\calc.exe 2007-03-12 11:59 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll 2007-03-12 11:59 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll 2007-03-12 11:59 11,264 --a------ C:\WINDOWS\system32\icaapi.dll 2007-03-12 11:59 103,424 --a------ C:\WINDOWS\system32\clipbrd.exe 2007-03-12 11:59 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll 2007-03-12 11:59 1,225 --a------ C:\WINDOWS\system32\usrlogon.cmd 2007-03-12 11:59 2007-03-12 11:59 2007-03-12 11:59 2007-03-12 10:54 351,776 --a------ C:\WINDOWS\system32\drivers\ar5211.sys 2007-03-12 10:50 59,392 --a------ C:\WINDOWS\system32\a3d.dll 2007-03-12 10:50 47,897 --a------ C:\WINDOWS\system32\AudCtrl.dll 2007-03-12 10:50 1,152,916 --a------ C:\WINDOWS\system32\drivers\sbext.sys (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-03-22 19:31 -------- d-------- C:\Program Files\msi 2007-03-22 15:57 49696 --a------ C:\WINDOWS\system32\perfc015.dat 2007-03-22 15:57 355816 --a------ C:\WINDOWS\system32\perfh015.dat 2007-03-12 12:51 62 --ahs---- C:\DOCUME~1\ADMINI~1\DANEAP~1\desktop.ini 2007-03-12 12:02 -------- d-------- C:\Program Files\usˆugi online 2007-01-22 12:00 719088 --a------ C:\WINDOWS\system32\skaneronline.dll 2007-01-19 09:40 89088 --a------ C:\WINDOWS\system32\skaneronlineuninstall.exe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “AudCtrl”=“RunDll32 AudCtrl.dll,RCMonitor” “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” “nwiz”=“nwiz.exe /install” “SW20”=“C:\WINDOWS\system32\sw20.exe” “SW24”=“C:\WINDOWS\system32\sw24.exe” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” “WireLessKeyboard”=“C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe” “SunJavaUpdateSched”="“C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”" “LiveMonitor”=“C:\Program Files\MSI\Live Update 3\LMonitor.exe” “SoundMan”=“SOUNDMAN.EXE” “APVXDWIN”="“C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE” /s" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“eraser” “hkey”=“HKCU” “command”=“C:\Program Files\Eraser\eraser.exe -hide” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“fwupdate” “hkey”=“HKLM” “command”="“C:\Program Files\lg_fwupdate\fwupdate.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NeroCheck” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\NeroCheck.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“hpgs2wnd” “hkey”=“HKLM” “command”=“C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{C3AE80DC-CE36-41E6-A011-E498F909614B}”="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] “WPDShServiceObj”="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-03-23 19:58:54 C:\ComboFix2.txt … 04-01-01 03:53

Tak z ciekawości. Czy każdy plik zakończony na *.vir jest wirusem?

adam9870 · 23 Marzec 2007 21:32

Logi są czyste.

Bardzo często są. Pliki o rozszerzeniach *.vir tworzy zazwyczaj trojan Vundo oraz trojan Qoologic. ComboFix tego typu pliki często przenosi do swojej kwarantanny, która jest tworzona na partycji C w postaci folderu qoobox.

Kosmetyka:

Start => uruchom => msconfig => zakładka Uruchamianie => możesz odznaczyć w/w.

Panel sterowania => Java Plug-in => Update => odznacz opcję Check for updates automatically.

Jeśli nie korzystasz z zaawansowanych usług tekstowych to je wyłącz: Panel sterowania => Opcje regionalne => Języki => Szczegóły => Zaawansowane => zaznacz wyłącz zaawansowane usługi tekstowe.

W opcjach komunikatora możesz wyłączyć uruchamianie przy starcie systemu jeśli nie jest Ci potrzebne.

Jeśli nie używasz Messenger’a to go usuń: start => uruchom => wpisz polecenie:

RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove

meason · 24 Marzec 2007 11:29

Serdeczne dzięki.

Czyli nie wszystkie ?