GMER 1.0.12.12244 - http://www.gmer.net Rootkit scan 2007-06-24 11:44:02 Windows 5.1.2600 ---- System - GMER 1.0.12 ---- SSDT sptd.sys ZwCreateKey SSDT sptd.sys ZwEnumerateKey SSDT sptd.sys ZwEnumerateValueKey SSDT sptd.sys ZwOpenKey SSDT sptd.sys ZwQueryKey SSDT sptd.sys ZwQueryValueKey SSDT sptd.sys ZwSetValueKey ---- Kernel code sections - GMER 1.0.12 ---- .text ntoskrnl.exe!FsRtlLegalAnsiCharacterArray + 130 804F2098 4 Bytes [ D0, D0, 42, F8 ] .text ntoskrnl.exe!FsRtlLegalAnsiCharacterArray + 1A8 804F2110 4 Bytes [ B2, 2F, 43, F8 ] .text ntoskrnl.exe!FsRtlLegalAnsiCharacterArray + 1B0 804F2118 4 Bytes [ 40, 33, 43, F8 ] .text ntoskrnl.exe!FsRtlLegalAnsiCharacterArray + 268 804F21D0 4 Bytes [ B0, D0, 42, F8 ] .text ntoskrnl.exe!FsRtlLegalAnsiCharacterArray + 30C 804F2274 4 Bytes [ 18, 34, 43, F8 ] .text ... ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text USBPORT.SYS!DllUnload F804EDBC 5 Bytes JMP 81D581C8 ---- Devices - GMER 1.0.12 ---- Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 81F691E8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 81F691E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{1F562149-36F1-4206-81FC-614613D5647D} IRP_MJ_CREATE 81B641E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{1F562149-36F1-4206-81FC-614613D5647D} IRP_MJ_CLOSE 81B641E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{1F562149-36F1-4206-81FC-614613D5647D} IRP_MJ_DEVICE_CONTROL 81B641E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{1F562149-36F1-4206-81FC-614613D5647D} IRP_MJ_INTERNAL_DEVICE_CONTROL 81B641E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{1F562149-36F1-4206-81FC-614613D5647D} IRP_MJ_CLEANUP 81B641E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{1F562149-36F1-4206-81FC-614613D5647D} IRP_MJ_PNP 81B641E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{8EBB19A8-9505-4C23-AA68-3B891CE5DA7C} IRP_MJ_CREATE 81B641E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{8EBB19A8-9505-4C23-AA68-3B891CE5DA7C} IRP_MJ_CLOSE 81B641E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{8EBB19A8-9505-4C23-AA68-3B891CE5DA7C} IRP_MJ_DEVICE_CONTROL 81B641E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{8EBB19A8-9505-4C23-AA68-3B891CE5DA7C} IRP_MJ_INTERNAL_DEVICE_CONTROL 81B641E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{8EBB19A8-9505-4C23-AA68-3B891CE5DA7C} IRP_MJ_CLEANUP 81B641E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{8EBB19A8-9505-4C23-AA68-3B891CE5DA7C} IRP_MJ_PNP 81B641E8 Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CREATE 81E061E8 Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CLOSE 81E061E8 Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 81E061E8 Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81E061E8 Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_POWER 81E061E8 Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 81E061E8 Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_PNP 81E061E8 Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CREATE 81E061E8 Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CLOSE 81E061E8 Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 81E061E8 Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81E061E8 Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_POWER 81E061E8 Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 81E061E8 Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_PNP 81E061E8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 81FDC1E8 Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 81FDC1E8 Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CREATE 81E061E8 Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CLOSE 81E061E8 Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_DEVICE_CONTROL 81E061E8 Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 81E061E8 Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_POWER 81E061E8 Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_SYSTEM_CONTROL 81E061E8 Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_PNP 81E061E8 Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 81F6B1E8 Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 81F6B1E8 Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 81F6B1E8 Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 81F6B1E8 Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 81F6B1E8 Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81F6B1E8 Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 81F6B1E8 Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 81F6B1E8 Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 81F6B1E8 Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 81F6B1E8 Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 81F6B1E8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 81E071E8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 81E071E8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 81E071E8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 81E071E8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 81E071E8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 81E071E8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81E071E8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 81E071E8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 81E071E8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 81E071E8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 81E071E8 Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 81B641E8 Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 81B641E8 Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 81B641E8 Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 81B641E8 Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 81B641E8 Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 81B641E8 Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CREATE 81E061E8 Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CLOSE 81E061E8 Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL 81E061E8 Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81E061E8 Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_POWER 81E061E8 Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_SYSTEM_CONTROL 81E061E8 Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_PNP 81E061E8 Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CREATE 81E061E8 Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CLOSE 81E061E8 Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_DEVICE_CONTROL 81E061E8 Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81E061E8 Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_POWER 81E061E8 Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_SYSTEM_CONTROL 81E061E8 Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_PNP 81E061E8 Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_CREATE 81E061E8 Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_CLOSE 81E061E8 Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_DEVICE_CONTROL 81E061E8 Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 81E061E8 Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_POWER 81E061E8 Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_SYSTEM_CONTROL 81E061E8 Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_PNP 81E061E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 817D31E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 817D31E8 Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 81F6B1E8 Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 81F6B1E8 Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 81F6B1E8 Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 81F6B1E8 Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 81F6B1E8 Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 81F6B1E8 Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 81F6B1E8 Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 81F6B1E8 Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 81F6B1E8 Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 81F6B1E8 Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 81F6B1E8 Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 81B741E8 Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 81B741E8 Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 81B741E8 Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 81B741E8 Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 81B741E8 Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 81B741E8 Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 81B741E8 Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 81B741E8 Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 81B741E8 Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 81B741E8 Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 81B741E8 Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 81B741E8 Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 81B741E8 ---- EOF - GMER 1.0.12 ----
- Forum komputerowe
- → Przeglądanie profilu: Posty: diablllooo
Statystyki
- Grupa: Użytkownik
- Całość postów: 18
- Odwiedzin: 757
- Tytuł: Początkujący
- Wiek: Wiek nie został ustalony
- Urodziny: Data urodzin nie została podana
-
Płeć
Nie podano
Moje posty
W temacie: Logi - Długi okres bez antyvirusa
24 06 2007 - 11:45
W temacie: Logi - Długi okres bez antyvirusa
23 06 2007 - 22:47
SmitFraudFix v2.195
Scan done at 22:45:30,74, 2007-06-23
Run from C:\Documents and Settings\Karol\Pulpit\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!Attention, following keys are not inevitably infected!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Ralink RT2500 Wireless LAN Card - Sterownik miniport Harmonogramu pakietów
DNS Server Search Order: 192.168.8.1
DNS Server Search Order: 194.204.152.34
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1F562149-36F1-4206-81FC-614613D5647D}: DhcpNameServer=192.168.8.1 194.204.152.34
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1F562149-36F1-4206-81FC-614613D5647D}: DhcpNameServer=192.168.8.1 194.204.152.34
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1F562149-36F1-4206-81FC-614613D5647D}: DhcpNameServer=192.168.8.1 194.204.152.34
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.8.1 194.204.152.34
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.8.1 194.204.152.34
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.8.1 194.204.152.34
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!Attention, following keys are not inevitably infected!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!Attention, following keys are not inevitably infected!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Scan done at 22:45:30,74, 2007-06-23
Run from C:\Documents and Settings\Karol\Pulpit\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!Attention, following keys are not inevitably infected!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Ralink RT2500 Wireless LAN Card - Sterownik miniport Harmonogramu pakietów
DNS Server Search Order: 192.168.8.1
DNS Server Search Order: 194.204.152.34
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1F562149-36F1-4206-81FC-614613D5647D}: DhcpNameServer=192.168.8.1 194.204.152.34
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1F562149-36F1-4206-81FC-614613D5647D}: DhcpNameServer=192.168.8.1 194.204.152.34
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1F562149-36F1-4206-81FC-614613D5647D}: DhcpNameServer=192.168.8.1 194.204.152.34
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.8.1 194.204.152.34
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.8.1 194.204.152.34
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.8.1 194.204.152.34
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!Attention, following keys are not inevitably infected!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!Attention, following keys are not inevitably infected!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
W temacie: Logi - Długi okres bez antyvirusa
23 06 2007 - 19:51
Przy jednym nie mozna zrobic, zeby znaczek obok byl na zielono.
http://img255.imageshack.us/my.php?image=aaaox8.png
znalazlem posta, w ktorym facet ma podobny problem do mojego, jednak tam mu nie pomogli
http://forum.idg.pl/lofiversion/index.php/t26630.html
http://img255.imageshack.us/my.php?image=aaaox8.png
znalazlem posta, w ktorym facet ma podobny problem do mojego, jednak tam mu nie pomogli
http://forum.idg.pl/lofiversion/index.php/t26630.html
W temacie: Logi - Długi okres bez antyvirusa
23 06 2007 - 17:55
Logfile of HijackThis v1.99.1
Scan saved at 17:51:43, on 2007-06-23
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Winkoe.exe
C:\Program Files\Kl1.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
C:\Program Files\Messenger\msmsgsgmw.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Jp4.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\WinRAR\WinRARcbu.exe
C:\WINDOWS\System32\wuauclt.exe
C:\DOCUME~1\Karol\USTAWI~1\Temp\Rar$EX00.500\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Winkoe - Unknown owner - C:\WINDOWS\System32\Winkoe.exe
ComboFix 07-06-18.2 - C:\Documents and Settings\Karol\Pulpit\ComboFix.exe
"Karol" - 2007-06-23 17:52:47 NTFS
((((((((((((((((((((((((( Files Created from 2007-05-23 to 2007-06-23 )))))))))))))))))))))))))))))))
2007-06-23 17:50 10,240 --a------ C:\Program Files\Kl1.exe
2007-06-23 17:50 10,240 --a------ C:\Program Files\Jp4.exe
2007-06-23 12:47 10,240 --a------ C:\Program Files\Dt10.exe
2007-06-23 12:16 10,240 --a------ C:\Program Files\Qot1.exe
2007-06-23 12:14 <DIR> d-------- C:\Program Files\BitTorrent
2007-06-23 11:35 <DIR> d-------- C:\Program Files\LimeWire
2007-06-23 11:20 <DIR> d-------- C:\Program Files\Infogrames
2007-06-23 11:18 <DIR> d-------- C:\temp\asterixdemo
2007-06-23 11:18 <DIR> d-------- C:\temp
2007-06-23 11:05 10,240 --a------ C:\Program Files\Ye1.exe
2007-06-20 15:17 <DIR> d-------- C:\Program Files\7-Zip
2007-06-19 17:21 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-18 22:41 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-18 22:41 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji
2007-06-18 22:41 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start
2007-06-18 22:41 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne
2007-06-18 22:41 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty
2007-06-18 22:36 <DIR> d--hs---- C:\WINDOWS\CSC
2007-06-17 18:07 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2007-06-17 18:07 <DIR> d-------- C:\Program Files\EA GAMES
2007-06-17 15:13 <DIR> d-------- C:\Program Files\Volleyball Manager
2007-06-06 08:06 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-06 08:06 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-06 08:05 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-06 08:05 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-06-06 08:05 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-06-06 08:05 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-06-06 08:03 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-05 22:20 4 --a------ C:\WINDOWS\system32\proc625010911.bin
2007-06-05 22:20 <DIR> d-------- C:\DOCUME~1\Karol\DANEAP~1\GanymedeNet
2007-06-03 18:51 <DIR> d-------- C:\Program Files\GSC Game World
2007-06-01 12:40 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-01 08:14 <DIR> d-------- C:\Program Files\AC3Filter
2007-06-01 08:08 <DIR> d-------- C:\Program Files\BearShare
2007-06-01 08:08 <DIR> d-------- C:\My Downloads
2007-05-23 19:19 <DIR> d-------- C:\WINDOWS\Cache
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-23 09:20:18 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-23 07:26:35 -------- d-----w C:\DOCUME~1\Karol\DANEAP~1\Skype
2007-06-19 17:49:33 67,078 ----a-w C:\WINDOWS\system32\perfc015.dat
2007-06-19 17:49:33 435,978 ----a-w C:\WINDOWS\system32\perfh015.dat
2007-06-13 19:27:40 2,320 ----a-w C:\WINDOWS\mozver.dat
2007-05-23 17:08:54 -------- d-----w C:\Program Files\Gadu-Gadu
2007-05-22 16:25:10 -------- d-----w C:\Program Files\EA SPORTS
2007-05-22 15:59:24 -------- d-----w C:\Program Files\Messenger
2007-05-21 19:06:29 -------- d-----w C:\Program Files\Ahead
2007-05-21 19:06:20 -------- d-----w C:\Program Files\Common Files\Ahead
2007-05-21 09:02:29 -------- d-----w C:\DOCUME~1\Karol\DANEAP~1\U3
1617-10-26 20:34:13 89,144 --sha-r C:\WINDOWS\system32\Winkoe.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"SoundMan"="SOUNDMAN.EXE" []
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-08-01 17:04]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-11-14 11:12]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 18:32]
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-23 17:54:05
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-23 17:54:31
C:\ComboFix2.txt ... 2007-06-23 09:28
C:\ComboFix3.txt ... 2007-06-21 21:43
--- E O F ---
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"SoundMan" = "SOUNDMAN.EXE" [file not found]
"BearShare" = ""C:\Program Files\BearShare\BearShare.exe" /pause" ["Free Peers, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "&Do osób..."
-> {HKLM...CLSID} = "&Do osób..."
\InProcServer32\(Default) = "C:\Program Files\Outlook Express\wabfind.dll" [file not found]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Mozilla\Firefox\Tapeta pulpitu.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Karol\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp"
Scan saved at 17:51:43, on 2007-06-23
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Winkoe.exe
C:\Program Files\Kl1.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
C:\Program Files\Messenger\msmsgsgmw.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Jp4.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\WinRAR\WinRARcbu.exe
C:\WINDOWS\System32\wuauclt.exe
C:\DOCUME~1\Karol\USTAWI~1\Temp\Rar$EX00.500\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Winkoe - Unknown owner - C:\WINDOWS\System32\Winkoe.exe
ComboFix 07-06-18.2 - C:\Documents and Settings\Karol\Pulpit\ComboFix.exe
"Karol" - 2007-06-23 17:52:47 NTFS
((((((((((((((((((((((((( Files Created from 2007-05-23 to 2007-06-23 )))))))))))))))))))))))))))))))
2007-06-23 17:50 10,240 --a------ C:\Program Files\Kl1.exe
2007-06-23 17:50 10,240 --a------ C:\Program Files\Jp4.exe
2007-06-23 12:47 10,240 --a------ C:\Program Files\Dt10.exe
2007-06-23 12:16 10,240 --a------ C:\Program Files\Qot1.exe
2007-06-23 12:14 <DIR> d-------- C:\Program Files\BitTorrent
2007-06-23 11:35 <DIR> d-------- C:\Program Files\LimeWire
2007-06-23 11:20 <DIR> d-------- C:\Program Files\Infogrames
2007-06-23 11:18 <DIR> d-------- C:\temp\asterixdemo
2007-06-23 11:18 <DIR> d-------- C:\temp
2007-06-23 11:05 10,240 --a------ C:\Program Files\Ye1.exe
2007-06-20 15:17 <DIR> d-------- C:\Program Files\7-Zip
2007-06-19 17:21 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-18 22:41 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-18 22:41 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji
2007-06-18 22:41 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start
2007-06-18 22:41 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne
2007-06-18 22:41 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty
2007-06-18 22:36 <DIR> d--hs---- C:\WINDOWS\CSC
2007-06-17 18:07 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2007-06-17 18:07 <DIR> d-------- C:\Program Files\EA GAMES
2007-06-17 15:13 <DIR> d-------- C:\Program Files\Volleyball Manager
2007-06-06 08:06 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-06 08:06 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-06 08:05 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-06 08:05 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-06-06 08:05 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-06-06 08:05 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-06-06 08:03 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-05 22:20 4 --a------ C:\WINDOWS\system32\proc625010911.bin
2007-06-05 22:20 <DIR> d-------- C:\DOCUME~1\Karol\DANEAP~1\GanymedeNet
2007-06-03 18:51 <DIR> d-------- C:\Program Files\GSC Game World
2007-06-01 12:40 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-01 08:14 <DIR> d-------- C:\Program Files\AC3Filter
2007-06-01 08:08 <DIR> d-------- C:\Program Files\BearShare
2007-06-01 08:08 <DIR> d-------- C:\My Downloads
2007-05-23 19:19 <DIR> d-------- C:\WINDOWS\Cache
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-23 09:20:18 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-23 07:26:35 -------- d-----w C:\DOCUME~1\Karol\DANEAP~1\Skype
2007-06-19 17:49:33 67,078 ----a-w C:\WINDOWS\system32\perfc015.dat
2007-06-19 17:49:33 435,978 ----a-w C:\WINDOWS\system32\perfh015.dat
2007-06-13 19:27:40 2,320 ----a-w C:\WINDOWS\mozver.dat
2007-05-23 17:08:54 -------- d-----w C:\Program Files\Gadu-Gadu
2007-05-22 16:25:10 -------- d-----w C:\Program Files\EA SPORTS
2007-05-22 15:59:24 -------- d-----w C:\Program Files\Messenger
2007-05-21 19:06:29 -------- d-----w C:\Program Files\Ahead
2007-05-21 19:06:20 -------- d-----w C:\Program Files\Common Files\Ahead
2007-05-21 09:02:29 -------- d-----w C:\DOCUME~1\Karol\DANEAP~1\U3
1617-10-26 20:34:13 89,144 --sha-r C:\WINDOWS\system32\Winkoe.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"SoundMan"="SOUNDMAN.EXE" []
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-08-01 17:04]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-11-14 11:12]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 18:32]
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-23 17:54:05
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-23 17:54:31
C:\ComboFix2.txt ... 2007-06-23 09:28
C:\ComboFix3.txt ... 2007-06-21 21:43
--- E O F ---
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"SoundMan" = "SOUNDMAN.EXE" [file not found]
"BearShare" = ""C:\Program Files\BearShare\BearShare.exe" /pause" ["Free Peers, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "&Do osób..."
-> {HKLM...CLSID} = "&Do osób..."
\InProcServer32\(Default) = "C:\Program Files\Outlook Express\wabfind.dll" [file not found]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Mozilla\Firefox\Tapeta pulpitu.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Karol\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp"
W temacie: Logi - Długi okres bez antyvirusa
23 06 2007 - 09:33
ComboFix 07-06-18.2 - C:\Documents and Settings\Karol\Pulpit\ComboFix.exe
"Karol" - 2007-06-23 9:27:09 NTFS
((((((((((((((((((((((((( Files Created from 2007-05-23 to 2007-06-23 )))))))))))))))))))))))))))))))
2007-06-23 09:26 10,240 --a------ C:\Program Files\Yq1.exe
2007-06-23 09:10 10,240 --a------ C:\Program Files\Bp1.exe
2007-06-23 07:42 10,240 --a------ C:\Program Files\VykF.exe
2007-06-20 15:17 <DIR> d-------- C:\Program Files\7-Zip
2007-06-19 17:21 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-18 22:41 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-18 22:41 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji
2007-06-18 22:41 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start
2007-06-18 22:41 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne
2007-06-18 22:41 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty
2007-06-18 22:36 <DIR> d--hs---- C:\WINDOWS\CSC
2007-06-17 18:07 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2007-06-17 18:07 <DIR> d-------- C:\Program Files\EA GAMES
2007-06-17 15:13 <DIR> d-------- C:\Program Files\Volleyball Manager
2007-06-06 08:06 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-06 08:06 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-06 08:05 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-06 08:05 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-06-06 08:05 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-06-06 08:05 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-06-06 08:03 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-05 22:20 4 --a------ C:\WINDOWS\system32\proc625010911.bin
2007-06-05 22:20 <DIR> d-------- C:\DOCUME~1\Karol\DANEAP~1\GanymedeNet
2007-06-03 18:51 <DIR> d-------- C:\Program Files\GSC Game World
2007-06-01 12:40 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-01 08:14 <DIR> d-------- C:\Program Files\AC3Filter
2007-06-01 08:08 <DIR> d-------- C:\Program Files\BearShare
2007-06-01 08:08 <DIR> d-------- C:\My Downloads
2007-05-23 19:19 <DIR> d-------- C:\WINDOWS\Cache
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-23 07:26:35 -------- d-----w C:\DOCUME~1\Karol\DANEAP~1\Skype
2007-06-19 17:49:33 67,078 ----a-w C:\WINDOWS\system32\perfc015.dat
2007-06-19 17:49:33 435,978 ----a-w C:\WINDOWS\system32\perfh015.dat
2007-06-13 19:27:40 2,320 ----a-w C:\WINDOWS\mozver.dat
2007-06-03 16:51:45 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-23 17:08:54 -------- d-----w C:\Program Files\Gadu-Gadu
2007-05-22 16:25:10 -------- d-----w C:\Program Files\EA SPORTS
2007-05-22 15:59:24 -------- d-----w C:\Program Files\Messenger
2007-05-21 19:06:29 -------- d-----w C:\Program Files\Ahead
2007-05-21 19:06:20 -------- d-----w C:\Program Files\Common Files\Ahead
2007-05-21 09:02:29 -------- d-----w C:\DOCUME~1\Karol\DANEAP~1\U3
2007-05-21 08:56:18 92,134 --sha-r C:\WINDOWS\system32\Winkhx.exe
2006-08-18 08:11:33 94,549 --sha-r C:\WINDOWS\system32\Winkav.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"SoundMan"="SOUNDMAN.EXE" []
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-08-01 17:04]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-11-14 11:12]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 18:32]
*Newly Created Service* - WINKAV
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-23 09:28:25
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-23 9:28:42
C:\ComboFix2.txt ... 2007-06-21 21:43
Logfile of HijackThis v1.99.1
Scan saved at 09:33:11, on 2007-06-23
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\Winkav.exe
C:\Program Files\Messenger\msmsgsgmw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\WinRAR\WinRARcbu.exe
C:\DOCUME~1\Karol\USTAWI~1\Temp\Rar$EX00.718\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Winkav - Unknown owner - C:\WINDOWS\System32\Winkav.exe
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"SoundMan" = "SOUNDMAN.EXE" [file not found]
"BearShare" = ""C:\Program Files\BearShare\BearShare.exe" /pause" ["Free Peers, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "&Do osób..."
-> {HKLM...CLSID} = "&Do osób..."
\InProcServer32\(Default) = "C:\Program Files\Outlook Express\wabfind.dll" [file not found]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Mozilla\Firefox\Tapeta pulpitu.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Karol\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp"
"Karol" - 2007-06-23 9:27:09 NTFS
((((((((((((((((((((((((( Files Created from 2007-05-23 to 2007-06-23 )))))))))))))))))))))))))))))))
2007-06-23 09:26 10,240 --a------ C:\Program Files\Yq1.exe
2007-06-23 09:10 10,240 --a------ C:\Program Files\Bp1.exe
2007-06-23 07:42 10,240 --a------ C:\Program Files\VykF.exe
2007-06-20 15:17 <DIR> d-------- C:\Program Files\7-Zip
2007-06-19 17:21 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-18 22:41 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-18 22:41 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji
2007-06-18 22:41 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start
2007-06-18 22:41 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne
2007-06-18 22:41 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty
2007-06-18 22:36 <DIR> d--hs---- C:\WINDOWS\CSC
2007-06-17 18:07 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2007-06-17 18:07 <DIR> d-------- C:\Program Files\EA GAMES
2007-06-17 15:13 <DIR> d-------- C:\Program Files\Volleyball Manager
2007-06-06 08:06 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-06 08:06 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-06 08:05 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-06 08:05 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-06-06 08:05 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-06-06 08:05 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-06-06 08:03 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-05 22:20 4 --a------ C:\WINDOWS\system32\proc625010911.bin
2007-06-05 22:20 <DIR> d-------- C:\DOCUME~1\Karol\DANEAP~1\GanymedeNet
2007-06-03 18:51 <DIR> d-------- C:\Program Files\GSC Game World
2007-06-01 12:40 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-01 08:14 <DIR> d-------- C:\Program Files\AC3Filter
2007-06-01 08:08 <DIR> d-------- C:\Program Files\BearShare
2007-06-01 08:08 <DIR> d-------- C:\My Downloads
2007-05-23 19:19 <DIR> d-------- C:\WINDOWS\Cache
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-23 07:26:35 -------- d-----w C:\DOCUME~1\Karol\DANEAP~1\Skype
2007-06-19 17:49:33 67,078 ----a-w C:\WINDOWS\system32\perfc015.dat
2007-06-19 17:49:33 435,978 ----a-w C:\WINDOWS\system32\perfh015.dat
2007-06-13 19:27:40 2,320 ----a-w C:\WINDOWS\mozver.dat
2007-06-03 16:51:45 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-23 17:08:54 -------- d-----w C:\Program Files\Gadu-Gadu
2007-05-22 16:25:10 -------- d-----w C:\Program Files\EA SPORTS
2007-05-22 15:59:24 -------- d-----w C:\Program Files\Messenger
2007-05-21 19:06:29 -------- d-----w C:\Program Files\Ahead
2007-05-21 19:06:20 -------- d-----w C:\Program Files\Common Files\Ahead
2007-05-21 09:02:29 -------- d-----w C:\DOCUME~1\Karol\DANEAP~1\U3
2007-05-21 08:56:18 92,134 --sha-r C:\WINDOWS\system32\Winkhx.exe
2006-08-18 08:11:33 94,549 --sha-r C:\WINDOWS\system32\Winkav.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"SoundMan"="SOUNDMAN.EXE" []
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-08-01 17:04]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-11-14 11:12]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 18:32]
*Newly Created Service* - WINKAV
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-23 09:28:25
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-23 9:28:42
C:\ComboFix2.txt ... 2007-06-21 21:43
Logfile of HijackThis v1.99.1
Scan saved at 09:33:11, on 2007-06-23
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\Winkav.exe
C:\Program Files\Messenger\msmsgsgmw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\WinRAR\WinRARcbu.exe
C:\DOCUME~1\Karol\USTAWI~1\Temp\Rar$EX00.718\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Winkav - Unknown owner - C:\WINDOWS\System32\Winkav.exe
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"SoundMan" = "SOUNDMAN.EXE" [file not found]
"BearShare" = ""C:\Program Files\BearShare\BearShare.exe" /pause" ["Free Peers, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "&Do osób..."
-> {HKLM...CLSID} = "&Do osób..."
\InProcServer32\(Default) = "C:\Program Files\Outlook Express\wabfind.dll" [file not found]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Mozilla\Firefox\Tapeta pulpitu.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Karol\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp"
- Forum Komputerowe Tweaks.pl
- → Przeglądanie profilu: Posty: diablllooo
- Polityka prywatności
- Szukaj
- Regulamin Forum ·