chalk
(chalk)
27 Kwiecień 2007 12:29
#1
mam problem jak w temacie. W czasie uruchamianie programów bardzo często to się zdarza.fixvungo nic nie pokazuje ad-aware i spybot tez czysto.Nie wiem czy to wina jakiegossyfu czy może ustawień systemu. Zrobiłem logoa z combofixa gdyby ktoś zerknął byłbym wdzięczny.
“Blemer” - 07-04-27 14:15:49 Dodatek Service Pack 2 ComboFix 07-03-23 - Running from: “C:\Documents and Settings\Blemer\Pulpit\Nowy folder” ((((((((((((((((((((((((((((((( Files Created from 2007-03-27 to 2007-04-27 )))))))))))))))))))))))))))))))))) 2007-04-24 16:55 5 --ahs---- C:\WINDOWS\system32\edbbcc2_s.dll 2007-04-24 16:55 2007-04-24 13:59 2007-04-22 22:36 2007-04-18 23:10 2007-04-18 21:42 2007-04-15 23:24 2007-04-15 23:16 2007-04-13 11:02 2007-04-12 12:32 2007-04-12 09:23 262,144 --a------ C:\DOCUME~1\ALLUSE~1\ntuser.dat 2007-04-12 00:03 131,072 --a------ C:\WINDOWS\system32\EraserDemo.dll 2007-04-11 23:28 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL 2007-04-11 21:52 2007-04-09 23:54 0 --a------ C:\WINDOWS\nsreg.dat 2007-04-08 13:45 2007-04-04 23:13 2007-04-01 14:30 2007-03-31 18:28 2007-03-28 17:22 3,870,720 --a------ C:\WINDOWS\system32\qt-mt323.dll 2007-03-28 17:22 2007-03-28 00:20 2007-03-27 11:33 2007-03-27 11:33 2007-03-27 11:16 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-27 11:52 -------- d-------- C:\Program Files\winamp 2007-04-27 11:52 -------- d-------- C:\Program Files\gadu-gadu 2007-04-27 10:39 -------- d-------- C:\Program Files\netmeter 2007-04-25 21:29 -------- d-------- C:\Program Files\flashget 2007-04-25 20:51 -------- d-------- C:\Program Files\superantispyware 2007-04-23 23:53 -------- d-------- C:\Program Files\quicktime 2007-04-23 14:02 -------- d-------- C:\Program Files\media player classic 2007-04-23 10:30 -------- d-------- C:\Program Files\mapeciĄtka 2007-04-20 21:45 -------- d-------- C:\Program Files\ffdshow 2007-04-19 14:43 -------- d-------- C:\Program Files\songbird 2007-04-16 21:56 -------- d-------- C:\Program Files\xp-antispy 2007-04-14 23:15 -------- d–h----- C:\Program Files\installshield installation information 2007-04-11 15:13 -------- d-------- C:\Program Files\Common Files\onet.pl 2007-04-09 23:53 12338 --a------ C:\WINDOWS\mozver.dat 2007-04-09 23:53 10096 --a------ C:\WINDOWS\unins000.dat 2007-04-03 22:56 -------- d-------- C:\Program Files\movie maker 2007-04-03 09:58 2560 --a------ C:\WINDOWS\system32\bitcometres.dll 2007-03-26 21:06 -------- d-------- C:\Program Files\xnview 2007-03-26 12:40 -------- d-------- C:\DOCUME~1\Blemer\DANEAP~1\songbird 2007-03-26 12:37 -------- d-------- C:\Program Files\flvplayer 2007-03-26 12:06 -------- d-------- C:\Program Files\gspot 2007-03-26 11:19 68334 --a------ C:\WINDOWS\system32\perfc015.dat 2007-03-26 11:19 439194 --a------ C:\WINDOWS\system32\perfh015.dat 2007-03-26 11:10 -------- d-------- C:\Program Files\Common Files\panda software 2007-03-25 23:52 -------- d-------- C:\Program Files\Common Files\wise installation wizard 2007-03-25 23:52 -------- d-------- C:\DOCUME~1\Blemer\DANEAP~1\superantispyware.com 2007-03-24 18:20 -------- d-------- C:\Program Files\microstar 2007-03-24 12:01 -------- d-------- C:\Program Files\irfanview 2007-03-23 23:36 -------- d-------- C:\Program Files\panda software 2007-03-17 15:45 293376 --a------ C:\WINDOWS\system32\winsrv.dll 2007-03-16 16:55 -------- d-------- C:\Program Files\avery dennison 2007-03-12 23:41 2004 --a------ C:\WINDOWS\system32\tmp.reg 2007-03-11 14:59 737280 --a------ C:\WINDOWS\iun6002.exe 2007-03-10 19:25 -------- d-------- C:\Program Files\Common Files\teleca shared 2007-03-08 17:38 579072 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 17:38 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 17:38 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-03-08 17:37 1843840 --a------ C:\WINDOWS\system32\win32k.sys 2007-03-07 13:15 -------- d-------- C:\Program Files\screamer radio 2007-03-05 23:41 -------- d-------- C:\Program Files\mozilla.org 2007-03-05 00:17 53 --a------ C:\WINDOWS\nsreg2.dat 2007-03-02 12:47 -------- d-------- C:\DOCUME~1\Blemer\DANEAP~1\fltk.org 2007-02-28 22:48 -------- d-------- C:\Program Files\onet 2007-02-28 22:48 -------- d-------- C:\DOCUME~1\Blemer\DANEAP~1\kamerzysta 2007-02-28 22:48 -------- d-------- C:\DOCUME~1\Blemer\DANEAP~1\czat 2007-02-28 22:48 -------- d-------- C:\DOCUME~1\Blemer\DANEAP~1\autoupdate 2007-02-05 22:19 185856 --a------ C:\WINDOWS\system32\upnphost.dll 2007-02-02 15:35 100482 --a------ C:\WINDOWS\uninstallfirefox.exe 2007-02-01 06:56 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll 2007-02-01 06:56 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll 2007-02-01 06:56 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll 2007-02-01 06:56 639066 --a------ C:\WINDOWS\system32\divx.dll 2007-01-31 23:27 524288 --a------ C:\WINDOWS\system32\divxsm.exe 2007-01-31 13:37 62 --ahs---- C:\DOCUME~1\Blemer\DANEAP~1\desktop.ini 2007-01-31 12:50 0 -rahs---- C:\MSDOS.SYS 2007-01-31 12:50 0 -rahs---- C:\IO.SYS 2007-01-31 12:50 0 --a------ C:\CONFIG.SYS 2007-01-31 12:50 0 --a------ C:\AUTOEXEC.BAT 2007-01-31 12:47 21856 --a------ C:\WINDOWS\system32\emptyregdb.dat 2007-01-31 01:15 118784 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe 2007-01-30 07:03 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-01-30 06:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “ares”="“C:\Program Files\Ares\Ares.exe” -h" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “SoundMan”=“SOUNDMAN.EXE” “APVXDWIN”="“C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE” /s" “MSConfig”=“C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE " “item”=“Adobe Reader Speed Launch” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE " “item”=“Adobe Reader Synchronizer” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^ATI CATALYST – pasek zadań.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ATI CATALYST – pasek zadań.lnk” “backup”=“C:\WINDOWS\pss\ATI CATALYST – pasek zadań.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\ATITEC~1\ATI.ACE\CLI.exe SystemTray” “item”=“ATI CATALYST – pasek zadań” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=”” “hkey”=“HKLM” “command”="" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADS] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“ADS” “hkey”=“HKCU” “command”=“c:\!killbox\ads.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Ares” “hkey”=“HKCU” “command”="“C:\Program Files\Ares\Ares.exe” -h" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“cli” “hkey”=“HKLM” “command”="“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“bittorrent” “hkey”=“HKCU” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NeroCheck” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\NeroCheck.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Odkurzacz-MCD] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“odk_mcd” “hkey”=“HKCU” “command”=“C:\Program Files\Odkurzacz\odk_mcd.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Onet.pl AutoUpdate] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NewAutoUpdate” “hkey”=“HKLM” “command”=“C:\Program Files\Common Files\Onet.pl\NewAutoUpdate.exe /tsr” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPal] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“PalAgnt” “hkey”=“HKCU” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“qttask” “hkey”=“HKLM” “command”="“C:\Program Files\QuickTime\qttask.exe” -atboottime" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“PDVDServ” “hkey”=“HKLM” “command”="“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Application Launcher” “hkey”=“HKLM” “command”="“C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Steam” “hkey”=“HKCU” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“jusched” “hkey”=“HKLM” “command”=“C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“SUPERAntiSpyware” “hkey”=“HKCU” “command”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“winampa” “hkey”=“HKLM” “command”=“C:\Program Files\Winamp\winampa.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“AVG Anti-Spyware 7.5” “{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”="" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net detected NTDLL code modification: ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-27 14:18:59
adam9870
(adam9870)
27 Kwiecień 2007 13:07
#2
Ściągnij program KillBox , zaznacz Delete on reboot , w polu full path of file wklej ścieżkę:
C:\WINDOWS\system32\edbbcc2_s.dll
Kliknij czerwonego iksa i reset.
Usuń z dysku ręcznie folder !killbox znajdujący się bezpośrednio na partycji C.
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
Przeskanuj system tym skanerem on-line:
http://www.ewido.net/en/onlinescan/
Po wykonaniu możesz wkleić nowy log z Combo.
adam9870
(adam9870)
27 Kwiecień 2007 18:17
#4
Usuń z dysku ręcznie folder c:!killbox
Start -> uruchom -> wpisz regedit i kliknij OK -> skasuj klucz:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg* * ADS**
Następnie zamknij edytor rejestru i najlepiej uruchom ponownie komputer.
Po wykonaniu możesz wkleić dla pewności nowy log z Combo.
chalk
(chalk)
27 Kwiecień 2007 18:57
#5
Folderów i kluczy o których pisał Adam już nie było,więc nie miałem co kasować. daje jeszcze raz loga z combo.
“Blemer” - 07-04-27 20:46:12 Dodatek Service Pack 2 ComboFix 07-03-23 - Running from: “C:\Documents and Settings\Blemer\Pulpit\Nowy folder” ((((((((((((((((((((((((((((((( Files Created from 2007-03-27 to 2007-04-27 )))))))))))))))))))))))))))))))))) 2007-04-24 16:55 2007-04-24 13:59 2007-04-22 22:36 2007-04-18 23:10 2007-04-18 21:42 2007-04-15 23:24 2007-04-15 23:16 2007-04-13 11:02 2007-04-12 12:32 2007-04-12 09:23 262,144 --a------ C:\DOCUME~1\ALLUSE~1\ntuser.dat 2007-04-12 00:03 131,072 --a------ C:\WINDOWS\system32\EraserDemo.dll 2007-04-11 23:28 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL 2007-04-11 21:52 2007-04-09 23:54 0 --a------ C:\WINDOWS\nsreg.dat 2007-04-08 13:45 2007-04-04 23:13 2007-04-01 14:30 2007-03-31 18:28 2007-03-28 17:22 3,870,720 --a------ C:\WINDOWS\system32\qt-mt323.dll 2007-03-28 17:22 2007-03-28 00:20 2007-03-27 11:33 2007-03-27 11:33 2007-03-27 11:16 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-27 18:09 -------- d-------- C:\Program Files\winamp 2007-04-27 18:01 -------- d-------- C:\Program Files\songbird 2007-04-27 17:53 -------- d-------- C:\Program Files\gadu-gadu 2007-04-27 10:39 -------- d-------- C:\Program Files\netmeter 2007-04-25 21:29 -------- d-------- C:\Program Files\flashget 2007-04-25 20:51 -------- d-------- C:\Program Files\superantispyware 2007-04-23 23:53 -------- d-------- C:\Program Files\quicktime 2007-04-23 14:02 -------- d-------- C:\Program Files\media player classic 2007-04-23 10:30 -------- d-------- C:\Program Files\mapeciĄtka 2007-04-20 21:45 -------- d-------- C:\Program Files\ffdshow 2007-04-16 21:56 -------- d-------- C:\Program Files\xp-antispy 2007-04-14 23:15 -------- d–h----- C:\Program Files\installshield installation information 2007-04-11 15:13 -------- d-------- C:\Program Files\Common Files\onet.pl 2007-04-09 23:53 12338 --a------ C:\WINDOWS\mozver.dat 2007-04-09 23:53 10096 --a------ C:\WINDOWS\unins000.dat 2007-04-03 22:56 -------- d-------- C:\Program Files\movie maker 2007-04-03 09:58 2560 --a------ C:\WINDOWS\system32\bitcometres.dll 2007-03-26 21:06 -------- d-------- C:\Program Files\xnview 2007-03-26 12:40 -------- d-------- C:\DOCUME~1\Blemer\DANEAP~1\songbird 2007-03-26 12:37 -------- d-------- C:\Program Files\flvplayer 2007-03-26 12:06 -------- d-------- C:\Program Files\gspot 2007-03-26 11:19 68334 --a------ C:\WINDOWS\system32\perfc015.dat 2007-03-26 11:19 439194 --a------ C:\WINDOWS\system32\perfh015.dat 2007-03-26 11:10 -------- d-------- C:\Program Files\Common Files\panda software 2007-03-25 23:52 -------- d-------- C:\Program Files\Common Files\wise installation wizard 2007-03-25 23:52 -------- d-------- C:\DOCUME~1\Blemer\DANEAP~1\superantispyware.com 2007-03-24 18:20 -------- d-------- C:\Program Files\microstar 2007-03-24 12:01 -------- d-------- C:\Program Files\irfanview 2007-03-23 23:36 -------- d-------- C:\Program Files\panda software 2007-03-17 15:45 293376 --a------ C:\WINDOWS\system32\winsrv.dll 2007-03-16 16:55 -------- d-------- C:\Program Files\avery dennison 2007-03-12 23:41 2004 --a------ C:\WINDOWS\system32\tmp.reg 2007-03-11 14:59 737280 --a------ C:\WINDOWS\iun6002.exe 2007-03-10 19:25 -------- d-------- C:\Program Files\Common Files\teleca shared 2007-03-08 17:38 579072 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 17:38 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 17:38 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-03-08 17:37 1843840 --a------ C:\WINDOWS\system32\win32k.sys 2007-03-07 13:15 -------- d-------- C:\Program Files\screamer radio 2007-03-05 23:41 -------- d-------- C:\Program Files\mozilla.org 2007-03-05 00:17 53 --a------ C:\WINDOWS\nsreg2.dat 2007-03-02 12:47 -------- d-------- C:\DOCUME~1\Blemer\DANEAP~1\fltk.org 2007-02-28 22:48 -------- d-------- C:\Program Files\onet 2007-02-28 22:48 -------- d-------- C:\DOCUME~1\Blemer\DANEAP~1\kamerzysta 2007-02-28 22:48 -------- d-------- C:\DOCUME~1\Blemer\DANEAP~1\czat 2007-02-28 22:48 -------- d-------- C:\DOCUME~1\Blemer\DANEAP~1\autoupdate 2007-02-05 22:19 185856 --a------ C:\WINDOWS\system32\upnphost.dll 2007-02-02 15:35 100482 --a------ C:\WINDOWS\uninstallfirefox.exe 2007-02-01 06:56 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll 2007-02-01 06:56 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll 2007-02-01 06:56 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll 2007-02-01 06:56 639066 --a------ C:\WINDOWS\system32\divx.dll 2007-01-31 23:27 524288 --a------ C:\WINDOWS\system32\divxsm.exe 2007-01-31 13:37 62 --ahs---- C:\DOCUME~1\Blemer\DANEAP~1\desktop.ini 2007-01-31 12:50 0 -rahs---- C:\MSDOS.SYS 2007-01-31 12:50 0 -rahs---- C:\IO.SYS 2007-01-31 12:50 0 --a------ C:\CONFIG.SYS 2007-01-31 12:50 0 --a------ C:\AUTOEXEC.BAT 2007-01-31 12:47 21856 --a------ C:\WINDOWS\system32\emptyregdb.dat 2007-01-31 01:15 118784 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe 2007-01-30 07:03 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-01-30 06:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “ares”="“C:\Program Files\Ares\Ares.exe” -h" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “SoundMan”=“SOUNDMAN.EXE” “APVXDWIN”="“C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE” /s" “MSConfig”=“C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE " “item”=“Adobe Reader Speed Launch” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE " “item”=“Adobe Reader Synchronizer” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^ATI CATALYST – pasek zadań.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ATI CATALYST – pasek zadań.lnk” “backup”=“C:\WINDOWS\pss\ATI CATALYST – pasek zadań.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\ATITEC~1\ATI.ACE\CLI.exe SystemTray” “item”=“ATI CATALYST – pasek zadań” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=”” “hkey”=“HKLM” “command”="" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Ares” “hkey”=“HKCU” “command”="“C:\Program Files\Ares\Ares.exe” -h" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“cli” “hkey”=“HKLM” “command”="“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“bittorrent” “hkey”=“HKCU” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NeroCheck” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\NeroCheck.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Odkurzacz-MCD] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“odk_mcd” “hkey”=“HKCU” “command”=“C:\Program Files\Odkurzacz\odk_mcd.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Onet.pl AutoUpdate] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NewAutoUpdate” “hkey”=“HKLM” “command”=“C:\Program Files\Common Files\Onet.pl\NewAutoUpdate.exe /tsr” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPal] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“PalAgnt” “hkey”=“HKCU” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“qttask” “hkey”=“HKLM” “command”="“C:\Program Files\QuickTime\qttask.exe” -atboottime" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“PDVDServ” “hkey”=“HKLM” “command”="“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Application Launcher” “hkey”=“HKLM” “command”="“C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Steam” “hkey”=“HKCU” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“jusched” “hkey”=“HKLM” “command”=“C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“SUPERAntiSpyware” “hkey”=“HKCU” “command”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“winampa” “hkey”=“HKLM” “command”=“C:\Program Files\Winamp\winampa.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“AVG Anti-Spyware 7.5” “{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”="" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net detected NTDLL code modification: ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-27 20:49:09