Trojan.Peacomm

cze · Marzec 22, 2007

Halo!-Norto Internet Security znalazł mi Trojana Peacomm :kreci: , i tak po pierwsze nie mogę go wywalić, a poza tym może ktoś wie coś więcej na jego temat, tzn. skąd mógł sie wziąć i jakie szkody powoduje!?

maly3900 · Marzec 22, 2007

nie może go zapewne usunąć bo działa w procesach...
Norton Ci poda plik który jest trojanem - wtedy go z Menadzera Zadan wywal... - i bedziesz mogł nawet go ręcznie usunąć...
Chyba ze programista pomyślał i zrobił jeszcze jakiegoś exe który wypakowywuje i odpala Trojana... -> ale sądze ze tak nie bedzie....
Pozdro MaLy!

Dark Smark · Marzec 22, 2007

http://forum.idg.pl/index.php?showtopic=71410

Alert o infekcji: koń trojański „Storm Trojan”

*** 22 stycznia centrum Symantec Security Response zmieniło poziom zagrożenia koniem trojańskim „Storm Trojan” z niskiego (1) na średni (3) ***

Aby pomóc użytkownikom zrozumieć działanie stosunkowo nowego konia trojańskiego Trojan.Peacomm, centrum Symantec Security Response udostępnia podsumowanie związanych z nim zagadnień oraz dodatkowe informacje, dzięki którym można uniknąć zagrożenia.

Pierwsze sygnały działania konia trojańskiego „Storm Trojan” odnotowano 17 stycznia 2007 roku. Centrum Symantec Security Response zaobserwowało nasilenie związanych z nim infekcji, a także pojawienie się nowych odmian wyposażonych w nowe funkcje. Ten koń trojański jest dostarczany w załączniku wiadomości e-mail, która rzekomo zawiera materiały wideo na temat jednego z niedawnych wydarzeń. Sama wiadomość e-mail nie ma treści i ma jeden z następujących tematów:

A killer at 11, he's free at 21 and kill again!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
British Muslims Genocide
Naked teens attack home director.
230 dead as storm batters Europe.
Re: Your text
Radical Muslim drinking enemies's blood.
Chinese missile shot down Russian satellite
Chinese missile shot down Russian aircraft
Chinese missile shot down USA aircraft
Chinese missile shot down USA satellite
Russian missile shot down USA aircraft
Russian missile shot down USA satellite
Russian missile shot down Chinese aircraft
Russian missile shot down Chinese satellite
Saddam Hussein safe and sound!
Saddam Hussein alive!
Venezuelan leader: "Let's the War beginning".
Fidel Castro dead.

Firma Symantec pragnie również uczulić użytkowników, aby zachować najwyższą ostrożność wobec niechcianych wiadomości e-mail zawierających załączniki mające uchodzić za rzetelne lub interesujące. Postępowanie polegające na użyciu intrygujących tematów wiadomości lub nazw załączników w celu rozsyłania destrukcyjnego kodu to tzw. socjotechnika. Autorzy destrukcyjnych programów korzystają z socjotechniki od lat — niestety często udaje im się pokonać niezabezpieczonych użytkowników. Szczególnie często występującą cechą tej techniki jest podanie w wiadomości e-mail informacji o najnowszych wydarzeniach.

Plik załącznika może mieć następujące nazwy:

FullVideo.exe
Full Story.exe
Video.exe
Read More.exe
FullClip.exe
GreetingPostcard.exe
MoreHere.exe
FlashPostcard.exe
GreetingCard.exe
ClickHere.exe
ReadMore.exe
FlashPostcard.exe
FullNews.exe

Z uwagi na zmieniającą się naturę tego zagrożenia jest niewykluczone, że pojawią się dodatkowe tematy bądź nazwy załączników. Użytkownikom zaleca się nieotwieranie tego typu wiadomości e-mail.

W rzeczywistości załącznik jest koniem trojańskim, który instaluje się w systemie jako sterownik, a następnie pobiera inne destrukcyjne programy z różnych komputerów w Internecie. Załącznik i zawarty w nim koń trojański są wykrywane przez program antywirusowy.

Po zainstalowaniu i uruchomieniu koń trojański próbuje połączyć się z innymi zainfekowanymi systemami w Internecie. Ta sieć jest używana jako źródło dystrybucji i są z niej pobierane inne destrukcyjne programy.

Odkryto również nowe odmiany tego zagrożenia zdolne do ataków z wykorzystaniem narzędzi typu „rootkit”, które pozwalają na ukrycie ich obecności w systemie. 22 stycznia, w drugiej połowie dnia (czasu pacyficznego), Centrum Symantec Security Response udostępni zaktualizowane sygnatury definicji wirusów pozwalające na wykrycie i usunięcie odmian tego zagrożenia korzystających z technik typu „rootkit”. Wszystkie poprzednie odmiany są już skutecznie wykrywane oraz usuwane przy użyciu istniejących sygnatur definicji wirusów.

Bardziej szczegółowe informacje na temat tego zagrożenia można znaleźć w witrynie Symantec Security Response Blog

Obecnie centrum Symantec Security Response podwyższyło wskaźnik zagrożenia dotyczący konia trojańskiego Trojan.Peacomm do poziomu średniego, który wynosi 3 (maksymalną wartością jest 5).[/b]

fl3a · Marzec 22, 2007

nie może go zapewne usunąć bo działa w procesach...[/b]

Wypadalo by przeczytac cos na temat przed napisaniem odpowiedzi...

Tak jak Dark Smark podal chodzi o slynnego robaka "Storm worm". Przytoczony opis dotyczy pierwszej wersji tego robaka - storm worm. Kolejne odmiany bazuja na podobnym schemacie - po uruchomieniu downloader'a pobierane sa kolejne komponenty w tym driver wincom32.sys. Sam downoader posiada w swoich zasobach dwa komponenty. Jednym z nich jest biblioteka, ktora modyfikuje wpisy w nastepujacym kluczu rejestru:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinSock2ParametersProtocol_Cata
log9Catalog_Entries000000000001[/b]

Do kazdego ciagu (PackedCatalogItem) kluczy 00000000000X robak dodaje na poczatek nazwe swojej biblioteki w postaci:

Kod:

rsvp32_2.dll.$SystemRoot$System32msafd.dll

Usuniecie tych modyfikacji po uprzednim usunieciu wszystkich komponentow robaka pozwala dokonac polaczenia z internetem.

Najskuteczniejsza metoda w walce z tym robakiem jest zerwanie polaczenia z internetem, zablokowanie modulu jadra - jesli ten zostal uruchomiony oraz reczna eliminacja wszystkich komponentow robaka. Wbrew pozorom "odrobaczanie" nie jest skomplikowane nalezy jednak posiadac kilka przydatnych narzedzi jak gmer czy RkU.

Nie wspomnialem o nowej metodzie rozsylania szkodnika - Another build of "Storm worm".

cze · Marzec 22, 2007

Czyli co zrobić żeby go wywalić? daje loga z Hijack'a i Silent... :gazeta:

[ Dodano: 22-03-2007, 13:14 ]
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCUSoftwareMicrosoftWindowsCurrentVersionRun {++}
"CTFMON.EXE" = "C:WINDOWSsystem32ctfmon.exe" [MS]
"PowerBar" = "(empty string)" [file not found]
"MSMSGS" = ""C

rogram FilesMessengermsmsgs.exe" /background" [MS]
"NBJ" = ""C

ROGRA~1AheadNEROBA~1NBJ.exe"" ["Ahead Software AG"]
"Gadu-Gadu" = ""C

rogram FilesGadu-Gadugg.exe" /tray" ["Gadu-Gadu S.A."]
"Skype" = ""C

rogram FilesSkypePhoneSkype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"FreeCall" = ""C

rogram FilesFreeCall.comFreeCallFreeCall.exe" -nosplash -minimized" [file not found]
"Odkurzacz-MCD" = "C

rogram FilesOdkurzaczodk_mcd.exe" ["Franmo Software"]
"odk_mcd" = "(empty string)" [file not found]
"Anonymizer" = "E:ANONYMIZERAnonymizer.exe -nogui" [file not found]

HKLMSoftwareMicrosoftWindowsCurrentVersionRun {++}
"SkyTel" = "SkyTel.EXE" ["Realtek Semiconductor Corp."]
"RemoteControl" = ""C

rogram FilesCyberLink DVD SolutionPowerDVDPDVDServ.exe"" ["Cyberlink Corp."]
"InCD" = "C

rogram FilesAheadInCDInCD.exe" ["Nero AG"]
"NeroFilterCheck" = "C:WINDOWSsystem32NeroCheck.exe" ["Ahead Software Gmbh"]
"NvCplDaemon" = "RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit" [MS]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"LiveMonitor" = "C

rogram FilesMSILive Update 3LMonitor.exe" [empty string]
"(Default)" = "(empty string)" [file not found]
"NVIDIA nTune" = ""C

rogram FilesNVIDIA CorporationnTunenTuneCmd.exe" clear" ["NVIDIA"]
"ccApp" = ""C

rogram FilesCommon FilesSymantec SharedccApp.exe"" ["Symantec Corporation"]
"MagicRotation" = "C

rogram FilesMagicRotationMagicPvt.exe" ["Samsung Electronics, Inc."]
"StormCodec_Helper" = ""C

rogram FilesRingz StudioStorm CodecStormSet.exe" /S /opti" [null data]
"HP Software Update" = "C

rogram FilesHPHP Software UpdateHPWuSchd2.exe" ["Hewlett-Packard Development Company, L.P."]
"SunJavaUpdateSched" = ""C

rogram FilesJavajre1.5.0_10binjusched.exe"" ["Sun Microsystems, Inc."]
"New.net Startup" = "rundll32 C

ROGRA~1NEWDOT~1NEWDOT~2.DLL,ClientStartup -s" [MS]
"Globe7" = ""C

rogram FilesGlobe7Globe7.exe" /hide" [file not found]
"Symantec NetDriver Monitor" = "C

ROGRA~1SYMNET~1SNDMon.exe /Consumer" ["Symantec Corporation"]
"!AVG Anti-Spyware" = ""C

rogram FilesGrisoftAVG Anti-Spyware 7.5avgas.exe" /minimized" ["Anti-Malware Development a.s."]

HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
{02478D38-C3F9-4efb-9B51-7695ECA05670}(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion BHO"
InProcServer32(Default) = "C

rogram FilesYahoo!CompanionInstallscpn0ycomp5_6_2_0.dll" ["Yahoo! Inc."]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = "Skype add-on (mastermind)"
-> {HKLM...CLSID} = "Skype add-on (mastermind)"
InProcServer32(Default) = "C

ROGRA~1SkypePhoneIEPluginSKYPEI~1.DLL" ["Skype Technologies S.A."]
{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided)
-> {HKLM...CLSID} = "Megaupload Toolbar"
InProcServer32(Default) = "C

ROGRA~1MEGAUP~1MEGAUP~1.DLL" ["MegaUpload"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
InProcServer32(Default) = "C

rogram FilesJavajre1.5.0_10binssv.dll" ["Sun Microsystems, Inc."]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}(Default) = (no title provided)
-> {HKLM...CLSID} = "CNisExtBho Class"
InProcServer32(Default) = "C

rogram FilesCommon FilesSymantec SharedAdBlockingNISShExt.dll" ["Symantec Corporation"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
InProcServer32(Default) = "c

rogram filesgooglegoogletoolbar3.dll" ["Google Inc."]
{BDF3E430-B101-42AD-A544-FADC6B084872}(Default) = (no title provided)
-> {HKLM...CLSID} = "CNavExtBho Class"
InProcServer32(Default) = "C

rogram FilesNorton Internet SecurityNorton AntiVirusNavShExt.dll" ["Symantec Corporation"]
{F97DA966-F09D-4cab-BF29-75A0026986EA}(Default) = "XBTP02634"
-> {HKLM...CLSID} = "XBTP02634 Class"
InProcServer32(Default) = "C

ROGRA~1BEARSH~1BEARSH~2MediaBar.dll" [file not found]

HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
InProcServer32(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
InProcServer32(Default) = "C:WINDOWSsystem32hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
InProcServer32(Default) = "C:WINDOWSsystem32shdocvw.dll" [MS]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {HKLM...CLSID} = "Shell Extension for CDRW"
InProcServer32(Default) = "C

rogram FilesAheadInCDincdshx.dll" ["Nero AG"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
InProcServer32(Default) = "C:WINDOWSsystem32nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
InProcServer32(Default) = "C:WINDOWSsystem32nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
InProcServer32(Default) = "C:WINDOWSsystem32nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:WINDOWSsystem32nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
InProcServer32(Default) = "C:WINDOWSsystem32nvshell.dll" ["NVIDIA Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
InProcServer32(Default) = "C

rogram FilesMicrosoft OfficeOffice10OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C

rogram FilesMicrosoft OfficeOffice10msohev.dll" [MS]
"{59403EC0-EA55-11d5-954A-9A53884D6E09}" = "SecureDoc"
-> {HKLM...CLSID} = "SecureDoc"
InProcServer32(Default) = "C

ROGRA~1MSISECURE~1SecDoc.dll" ["msi"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "C

rogram FilesWinRARrarext.dll" [null data]
"{9E5E1445-6CEA-4761-8E45-AA19F654571E}" = "MagicRotation Shell Extension"
-> {HKLM...CLSID} = "BkgndCtxMenuExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32mpvthook.dll" ["Samsung Electronics, Inc."]

HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
InProcServer32(Default) = "C

rogram FilesGrisoftAVG Anti-Spyware 7.5shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
InProcServer32(Default) = "C:WINDOWSsystem32WPDShServiceObj.dll" [MS]

HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon
<<!>> "System" = "kdrss.exe" [null data]

HKLMSoftwareClasses*shellexContextMenuHandlers
AVG Anti-Spyware(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
InProcServer32(Default) = "C

rogram FilesGrisoftAVG Anti-Spyware 7.5context.dll" ["Anti-Malware Development a.s."]
SecureDocMenu(Default) = "{59403EC0-EA55-11d5-954A-9A53884D6E09}"
-> {HKLM...CLSID} = "SecureDoc"
InProcServer32(Default) = "C

ROGRA~1MSISECURE~1SecDoc.dll" ["msi"]
Symantec.Norton.Antivirus.IEContextMenu(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
InProcServer32(Default) = "C

rogram FilesNorton Internet SecurityNorton AntiVirusNavShExt.dll" ["Symantec Corporation"]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "C

rogram FilesWinRARrarext.dll" [null data]

HKLMSoftwareClassesDirectoryshellexContextMenuHandlers
AVG Anti-Spyware(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
InProcServer32(Default) = "C

rogram FilesGrisoftAVG Anti-Spyware 7.5context.dll" ["Anti-Malware Development a.s."]
SecureDocMenu(Default) = "{59403EC0-EA55-11d5-954A-9A53884D6E09}"
-> {HKLM...CLSID} = "SecureDoc"
InProcServer32(Default) = "C

ROGRA~1MSISECURE~1SecDoc.dll" ["msi"]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "C

rogram FilesWinRARrarext.dll" [null data]

HKLMSoftwareClassesFoldershellexContextMenuHandlers
Symantec.Norton.Antivirus.IEContextMenu(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
InProcServer32(Default) = "C

rogram FilesNorton Internet SecurityNorton AntiVirusNavShExt.dll" ["Symantec Corporation"]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "C

rogram FilesWinRARrarext.dll" [null data]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}

HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCUSoftwareMicrosoftInternet ExplorerDesktopGeneral
"Wallpaper" = "C:WINDOWSsystem32configsystemprofileUstawienia lokalneDane aplikacjiMicrosoftWallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCUControl PanelDesktop
"Wallpaper" = "C

ocuments and SettingsMichalUstawienia lokalneDane aplikacjiMicrosoftWallpaper1.bmp"

Startup items in "Michal" & "All Users" startup folders:
--------------------------------------------------------

C

ocuments and SettingsAll Users.WINDOWSMenu StartProgramyAutostart
"HP Digital Imaging Monitor" -> shortcut to: "C

rogram FilesHPDigital Imagingbinhpqtra08.exe" ["Hewlett-Packard Development Company, L.P."]
"HP Photosmart Premier - Szybkie uruchomienie" -> shortcut to: "C

rogram FilesHPDigital Imagingbinhpqthb08.exe -s" [null data]
"InterVideo WinCinema Manager" -> shortcut to: "C

rogram FilesInterVideoCommonBinWinCinemaMgr.exe" ["InterVideo Inc."]
"MagicTune 3.5" -> shortcut to: "C

rogram FilesSECMagicTune3.5_ClientMagicTuneTray.exe" [empty string]
"Microsoft Office" -> shortcut to: "C

rogram FilesMicrosoft OfficeOffice10OSA.EXE -b -l" [MS]
"NaturalColorLoad" -> shortcut to: "C

rogram FilesSECNatural ColorNaturalColorLoad.exe" [empty string]
"SecureDoc" -> shortcut to: "C

rogram FilesMSISecureDocLogon.exe" ["msi"]

Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Michal" -> launches: "C

ROGRA~1NORTON~1NORTON~1Navw32.exe /task:"C

ocuments and SettingsAll Users.WINDOWSDane aplikacjiSymantecNorton AntiVirusTasksmycomp.sca"" ["Symantec Corporation"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLMSystemCurrentControlSetServicesWinsock2ParametersNameSpace_Catalog5Catalog_E
ntries {++}
000000000001LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
000000000002LibraryPath = "%SystemRoot%System32winrnr.dll" [MS]
000000000003LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]

Transport Service Providers

HKLMSystemCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_En
tries {++}
0000000000##PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%system32mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%system32rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCUSoftwareMicrosoftInternet ExplorerToolbarShellBrowser
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {HKLM...CLSID} = "Norton AntiVirus"
InProcServer32(Default) = "C

rogram FilesNorton Internet SecurityNorton AntiVirusNavShExt.dll" ["Symantec Corporation"]

HKCUSoftwareMicrosoftInternet ExplorerToolbarWebBrowser
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
-> {HKLM...CLSID} = "Norton Internet Security"
InProcServer32(Default) = "C

rogram FilesCommon FilesSymantec SharedAdBlockingNISShExt.dll" ["Symantec Corporation"]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "&Yahoo! Companion"
InProcServer32(Default) = "C

rogram FilesYahoo!CompanionInstallscpn0ycomp5_6_2_0.dll" ["Yahoo! Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
InProcServer32(Default) = "c

rogram filesgooglegoogletoolbar3.dll" ["Google Inc."]
"{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}"
-> {HKLM...CLSID} = "BearShare MediaBar"
InProcServer32(Default) = "C

rogram FilesBearShare applicationsBearShare MediaBarMediaBar.dll" [file not found]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
InProcServer32(Default) = "C:WINDOWSsystem32ieframe.dll" [MS]

HKLMSoftwareMicrosoftInternet ExplorerToolbar
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security"
-> {HKLM...CLSID} = "Norton Internet Security"
InProcServer32(Default) = "C

rogram FilesCommon FilesSymantec SharedAdBlockingNISShExt.dll" ["Symantec Corporation"]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {HKLM...CLSID} = "Norton AntiVirus"
InProcServer32(Default) = "C

rogram FilesNorton Internet SecurityNorton AntiVirusNavShExt.dll" ["Symantec Corporation"]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Companion"
InProcServer32(Default) = "C

rogram FilesYahoo!CompanionInstallscpn0ycomp5_6_2_0.dll" ["Yahoo! Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
InProcServer32(Default) = "c

rogram filesgooglegoogletoolbar3.dll" ["Google Inc."]
"{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}" = (no title provided)
-> {HKLM...CLSID} = "BearShare MediaBar"
InProcServer32(Default) = "C

rogram FilesBearShare applicationsBearShare MediaBarMediaBar.dll" [file not found]
"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = (no title provided)
-> {HKLM...CLSID} = "Megaupload Toolbar"
InProcServer32(Default) = "C

ROGRA~1MEGAUP~1MEGAUP~1.DLL" ["MegaUpload"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLMSoftwareMicrosoftInternet ExplorerExtensions
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"
InProcServer32(Default) = "C

rogram FilesJavajre1.5.0_10binssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"
InProcServer32(Default) = "C

rogram FilesJavajre1.5.0_10binnpjpi150_10.dll" ["Sun Microsystems, Inc."]

{77BF5300-1474-4EC7-9980-D32B190E9B07}
"ButtonText" = "Skype"
"CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"
-> {HKLM...CLSID} = "Skype add-on (button)"
InProcServer32(Default) = "C

ROGRA~1SkypePhoneIEPluginSKYPEI~1.DLL" ["Skype Technologies S.A."]

{DE60714F-AC17-427E-861A-FD60CBDF119A}
"ButtonText" = "Ň×Č¤ąşÎď"
"MenuText" = "Ň×Č¤ąşÎď"
"Exec" = "http://click2.ad4all.net/url2/urlmanage/url.asp?id=1" [file not found]

{E2E2DD38-D088-4134-82B7-F2BA38496583}
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%Network Diagnosticxpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C

rogram FilesMessengermsmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C

rogram FilesSymantecLiveUpdateALUSchedulerSvc.exe"" ["Symantec Corporation"]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C

rogram FilesGrisoftAVG Anti-Spyware 7.5guard.exe" ["Anti-Malware Development a.s."]
InCD Helper, InCDsrv, "C

rogram FilesAheadInCDInCDsrv.exe" ["Nero AG"]
ISSvc, ISSVC, ""C

rogram FilesNorton Internet SecurityISSVC.exe"" ["Symantec Corporation"]
Machine Debug Manager, MDM, ""C

rogram FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe"" [MS]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C

rogram FilesNorton Internet SecurityNorton AntiVirusnavapsvc.exe"" ["Symantec Corporation"]
nTune Service, nTuneService, "C

rogram FilesNVIDIA CorporationnTunenTuneService.exe /StartService" ["NVIDIA"]
NVIDIA Display Driver Service, NVSvc, "C:WINDOWSsystem32nvsvc32.exe" ["NVIDIA Corporation"]
Symantec Event Manager, ccEvtMgr, ""C

rogram FilesCommon FilesSymantec SharedccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C

rogram FilesCommon FilesSymantec SharedSNDSrvc.exe"" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C

rogram FilesCommon FilesSymantec SharedccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C

rogram FilesCommon FilesSymantec SharedccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C

rogram FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe"" ["Symantec Corporation"]

Print Monitors:
---------------

HKLMSystemCurrentControlSetControlPrintMonitors
HP Standard TCP/IP PortDriver = "HpTcpMon.dll" ["Hewlett Packard"]
PCL hpz3l054Driver = "hpz3l054.dll" ["Hewlett-Packard Company"]

----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 40 seconds, including 4 seconds for message boxes)

[/b]

fl3a · Marzec 22, 2007

W tych logach nie widac niczego podejrzanego... Zrob logi gmer'em - http://www.gmer.net/gmer.zip

cze · Marzec 22, 2007

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-22 16:53:01
Windows 5.1.2600 Dodatek Service Pack 2

---- System - GMER 1.0.12 ----

SSDT 860AF668 ZwConnectPort
SSDT ??C

rogram FilesGrisoftAVG Anti-Spyware 7.5guard.sys ZwOpenProcess
SSDT 8588E700 ZwOpenThread
SSDT ??C

rogram FilesGrisoftAVG Anti-Spyware 7.5guard.sys ZwTerminateProcess

---- User code sections - GMER 1.0.12 ----

.text C:WINDOWSsystem32ctfmon.exe[112] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00974C77
.text C:WINDOWSsystem32ctfmon.exe[112] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00974E8F
.text C:WINDOWSsystem32ctfmon.exe[112] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00974FAC
.text C:WINDOWSsystem32ctfmon.exe[112] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00974D91
.text C

rogram FilesGrisoftAVG Anti-Spyware 7.5avgas.exe[600] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 01034C77
.text C

rogram FilesGrisoftAVG Anti-Spyware 7.5avgas.exe[600] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 01034E8F
.text C

rogram FilesGrisoftAVG Anti-Spyware 7.5avgas.exe[600] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01034FAC
.text C

rogram FilesGrisoftAVG Anti-Spyware 7.5avgas.exe[600] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 01034D91
.text C:WINDOWSsystem32winlogon.exe[648] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00D04C77
.text C:WINDOWSsystem32winlogon.exe[648] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00D04E8F
.text C:WINDOWSsystem32winlogon.exe[648] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00D04FAC
.text C:WINDOWSsystem32winlogon.exe[648] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00D04D91
.text C

rogram FilesMessengermsmsgs.exe[1188] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00AB4C77
.text C

rogram FilesMessengermsmsgs.exe[1188] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00AB4E8F
.text C

rogram FilesMessengermsmsgs.exe[1188] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00AB4FAC
.text C

rogram FilesMessengermsmsgs.exe[1188] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00AB4D91
.text C

rogram FilesInternet Exploreriexplore.exe[1364] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00AE4C77
.text C

rogram FilesInternet Exploreriexplore.exe[1364] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00AE4E8F
.text C

rogram FilesInternet Exploreriexplore.exe[1364] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00AE4FAC
.text C

rogram FilesInternet Exploreriexplore.exe[1364] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00AE4D91
.text C

rogram FilesInternet Exploreriexplore.exe[1364] USER32.dll!SetWindowLongA 77D3D60D 5 Bytes JMP 7E38FFBA C:WINDOWSsystem32IEFRAME.dll
.text C

rogram FilesInternet Exploreriexplore.exe[1364] USER32.dll!SetWindowLongW 77D3D62B 5 Bytes JMP 7E38FFEB C:WINDOWSsystem32IEFRAME.dll
.text C

rogram FilesInternet Exploreriexplore.exe[1364] USER32.dll!DialogBoxParamW 77D4662C 5 Bytes JMP 7E1FF205 C:WINDOWSsystem32IEFRAME.dll
.text C

rogram FilesInternet Exploreriexplore.exe[1364] USER32.dll!DialogBoxIndirectParamW 77D52043 5 Bytes JMP 7E38FEBF C:WINDOWSsystem32IEFRAME.dll
.text C

rogram FilesInternet Exploreriexplore.exe[1364] USER32.dll!MessageBoxIndirectA 77D5A05A 5 Bytes JMP 7E38FE40 C:WINDOWSsystem32IEFRAME.dll
.text C

rogram FilesInternet Exploreriexplore.exe[1364] USER32.dll!DialogBoxParamA 77D5B11C 5 Bytes JMP 7E38FE84 C:WINDOWSsystem32IEFRAME.dll
.text C

rogram FilesInternet Exploreriexplore.exe[1364] USER32.dll!MessageBoxExW 77D70538 5 Bytes JMP 7E38FDCC C:WINDOWSsystem32IEFRAME.dll
.text C

rogram FilesInternet Exploreriexplore.exe[1364] USER32.dll!MessageBoxExA 77D7055C 5 Bytes JMP 7E38FE06 C:WINDOWSsystem32IEFRAME.dll
.text C

rogram FilesInternet Exploreriexplore.exe[1364] USER32.dll!DialogBoxIndirectParamA 77D76CAD 5 Bytes JMP 7E38FEFA C:WINDOWSsystem32IEFRAME.dll
.text C

rogram FilesInternet Exploreriexplore.exe[1364] USER32.dll!MessageBoxIndirectW 77D86093 5 Bytes JMP 7E2215DA C:WINDOWSsystem32IEFRAME.dll
.text C

rogram FilesInternet Exploreriexplore.exe[1364] WININET.dll!HttpSendRequestA 771CCD38 5 Bytes JMP 00AE49E5
.text C

rogram FilesInternet Exploreriexplore.exe[1364] WININET.dll!HttpSendRequestW 771E075D 5 Bytes JMP 00AE4A2E
.text C

rogram FilesGadu-Gadugg.exe[2208] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 01804C77
.text C

rogram FilesGadu-Gadugg.exe[2208] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 01804E8F
.text C

rogram FilesGadu-Gadugg.exe[2208] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01804FAC
.text C

rogram FilesGadu-Gadugg.exe[2208] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 01804D91
.text C

rogram FilesHPDigital Imagingbinhpqimzone.exe[2252] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 003F4C77
.text C

rogram FilesHPDigital Imagingbinhpqimzone.exe[2252] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 003F4E8F
.text C

rogram FilesHPDigital Imagingbinhpqimzone.exe[2252] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 003F4FAC
.text C

rogram FilesHPDigital Imagingbinhpqimzone.exe[2252] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 003F4D91
.text C

rogram FilesHPDigital Imagingbinhpqste08.exe[2464] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00A64C77
.text C

rogram FilesHPDigital Imagingbinhpqste08.exe[2464] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00A64E8F
.text C

rogram FilesHPDigital Imagingbinhpqste08.exe[2464] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00A64FAC
.text C

rogram FilesHPDigital Imagingbinhpqste08.exe[2464] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00A64D91
.text C

rogram FilesSkypePhoneSkype.exe[2656] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 024E4C77
.text C

rogram FilesSkypePhoneSkype.exe[2656] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 024E4E8F
.text C

rogram FilesSkypePhoneSkype.exe[2656] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 024E4FAC
.text C

rogram FilesSkypePhoneSkype.exe[2656] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 024E4D91
.text C:WINDOWSexplorer.exe[3164] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00BD4C77
.text C:WINDOWSexplorer.exe[3164] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00BD4E8F
.text C:WINDOWSexplorer.exe[3164] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00BD4FAC
.text C:WINDOWSexplorer.exe[3164] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00BD4D91
.text C

rogram FilesCyberLink DVD SolutionPowerDVDPDVDServ.exe[3516] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00A14C77
.text C

rogram FilesCyberLink DVD SolutionPowerDVDPDVDServ.exe[3516] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00A14E8F
.text C

rogram FilesCyberLink DVD SolutionPowerDVDPDVDServ.exe[3516] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00A14FAC
.text C

rogram FilesCyberLink DVD SolutionPowerDVDPDVDServ.exe[3516] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00A14D91
.text C

rogram FilesAheadInCDInCD.exe[3540] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00A54C77
.text C

rogram FilesAheadInCDInCD.exe[3540] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00A54E8F
.text C

rogram FilesAheadInCDInCD.exe[3540] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00A54FAC
.text C

rogram FilesAheadInCDInCD.exe[3540] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00A54D91
.text C:WINDOWSsystem32rundll32.exe[3648] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00A44C77
.text C:WINDOWSsystem32rundll32.exe[3648] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00A44E8F
.text C:WINDOWSsystem32rundll32.exe[3648] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00A44FAC
.text C:WINDOWSsystem32rundll32.exe[3648] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00A44D91
.text C

rogram Filesgmergmer.exe[3716] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00AB4C77
.text C

rogram Filesgmergmer.exe[3716] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00AB4E8F
.text C

rogram Filesgmergmer.exe[3716] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00AB4FAC
.text C

rogram Filesgmergmer.exe[3716] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00AB4D91
.text C:WINDOWSRTHDCPL.exe[3732] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 01A14C77
.text C:WINDOWSRTHDCPL.exe[3732] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 01A14E8F
.text C:WINDOWSRTHDCPL.exe[3732] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01A14FAC
.text C:WINDOWSRTHDCPL.exe[3732] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 01A14D91
.text C

rogram FilesHPDigital Imagingbinhpqtra08.exe[3756] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00A74C77
.text C

rogram FilesHPDigital Imagingbinhpqtra08.exe[3756] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00A74E8F
.text C

rogram FilesHPDigital Imagingbinhpqtra08.exe[3756] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00A74FAC
.text C

rogram FilesHPDigital Imagingbinhpqtra08.exe[3756] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00A74D91
.text C

rogram FilesMSILive Update 3LMonitor.exe[3764] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00CD4C77
.text C

rogram FilesMSILive Update 3LMonitor.exe[3764] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00CD4E8F
.text C

rogram FilesMSILive Update 3LMonitor.exe[3764] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00CD4FAC
.text C

rogram FilesMSILive Update 3LMonitor.exe[3764] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00CD4D91
.text C

rogram FilesInterVideoCommonBinWinCinemaMgr.exe[3792] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00A34C77
.text C

rogram FilesInterVideoCommonBinWinCinemaMgr.exe[3792] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00A34E8F
.text C

rogram FilesInterVideoCommonBinWinCinemaMgr.exe[3792] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00A34FAC
.text C

rogram FilesInterVideoCommonBinWinCinemaMgr.exe[3792] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00A34D91
.text C

rogram FilesSkypePlugin ManagerskypePM.exe[3832] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00E24C77
.text C

rogram FilesSkypePlugin ManagerskypePM.exe[3832] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00E24E8F
.text C

rogram FilesSkypePlugin ManagerskypePM.exe[3832] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00E24FAC
.text C

rogram FilesSkypePlugin ManagerskypePM.exe[3832] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00E24D91
.text C

rogram FilesCommon FilesSymantec SharedCCAPP.EXE[3836] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00A34C77
.text C

rogram FilesCommon FilesSymantec SharedCCAPP.EXE[3836] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00A34E8F
.text C

rogram FilesCommon FilesSymantec SharedCCAPP.EXE[3836] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00A34FAC
.text C

rogram FilesCommon FilesSymantec SharedCCAPP.EXE[3836] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00A34D91
.text C

rogram FilesSECNatural ColorNaturalColorLoad.exe[3944] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00A54C77
.text C

rogram FilesSECNatural ColorNaturalColorLoad.exe[3944] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00A54E8F
.text C

rogram FilesSECNatural ColorNaturalColorLoad.exe[3944] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00A54FAC
.text C

rogram FilesSECNatural ColorNaturalColorLoad.exe[3944] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00A54D91
.text C

rogram FilesMagicRotationMagicPvt.exe[3948] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00B44C77
.text C

rogram FilesMagicRotationMagicPvt.exe[3948] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00B44E8F
.text C

rogram FilesMagicRotationMagicPvt.exe[3948] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00B44FAC
.text C

rogram FilesMagicRotationMagicPvt.exe[3948] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00B44D91
.text C

rogram FilesMSISecureDocLogon.exe[3976] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00A24C77
.text C

rogram FilesMSISecureDocLogon.exe[3976] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00A24E8F
.text C

rogram FilesMSISecureDocLogon.exe[3976] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00A24FAC
.text C

rogram FilesMSISecureDocLogon.exe[3976] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00A24D91
.text C

rogram FilesHPHP Software UpdatehpwuSchd2.exe[3996] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00A14C77
.text C

rogram FilesHPHP Software UpdatehpwuSchd2.exe[3996] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00A14E8F
.text C

rogram FilesHPHP Software UpdatehpwuSchd2.exe[3996] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00A14FAC
.text C

rogram FilesHPHP Software UpdatehpwuSchd2.exe[3996] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00A14D91
.text C

rogram FilesWindows Media Playerwmplayer.exe[4016] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00954C77
.text C

rogram FilesWindows Media Playerwmplayer.exe[4016] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00954E8F
.text C

rogram FilesWindows Media Playerwmplayer.exe[4016] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00954FAC
.text C

rogram FilesWindows Media Playerwmplayer.exe[4016] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00954D91
.text C

rogram FilesJavajre1.5.0_10binjusched.exe[4024] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00C34C77
.text C

rogram FilesJavajre1.5.0_10binjusched.exe[4024] ntdll.dll!NtDeleteValueKey 7C90D8CE 5 Bytes JMP 00C34E8F
.text C

rogram FilesJavajre1.5.0_10binjusched.exe[4024] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00C34FAC
.text C

rogram FilesJavajre1.5.0_10binjusched.exe[4024] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00C34D91

---- Modules - GMER 1.0.12 ----

Module (noname) (*** hidden *** ) F4415000
Module (noname) (*** hidden *** ) F4B25000
Module (noname) (*** hidden *** ) F4428000
Module (noname) (*** hidden *** ) F447A000

---- Files - GMER 1.0.12 ----

ADS C

ocuments and SettingsMichalUlubioneRadio internetowe ULICZNIK.NET Punk Oi Ska Reggae, Radio - Aktywna Fabryka Twórczo:favicon
ADS C

ocuments and SettingsMichalUlubione:favicon
ADS C

ocuments and SettingsMichalUlubione:favicon
File C:WINDOWSsystem32kdrss.exe

---- EOF - GMER 1.0.12 ----

[/b]

fl3a · Marzec 22, 2007

"Storm worm'a" nie widac. Z czystej ciekawosci jesli mozesz zrob jeszcze loga za pomoca RkU - http://www.rku.xell.ru/dl.php?fl=RkU3.20.130.388.exe RkU zapewne nie uruchomi sie w systemie, w ktorym zainstalowany byl gmer. Trzeba zatem odszukac w katalogu C:Windows plik cmd - gmer_uninstall.cmd i uruchomic go a nastepnie zrestartowac komputer.

cze · Marzec 22, 2007

log silent

narazie nie usuwam Gmera, ale przesyłam aktualny log z Silenta! coś ruszyło po korekcie..?
:nauka:
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCUSoftwareMicrosoftWindowsCurrentVersionRun {++}
"CTFMON.EXE" = "C:WINDOWSsystem32ctfmon.exe" [MS]
"MSMSGS" = ""C

rogram FilesMessengermsmsgs.exe" /background" [MS]
"NBJ" = ""C

ROGRA~1AheadNEROBA~1NBJ.exe"" ["Ahead Software AG"]
"Gadu-Gadu" = ""C

rogram FilesGadu-Gadugg.exe" /tray" ["Gadu-Gadu S.A."]
"Skype" = ""C

rogram FilesSkypePhoneSkype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"Odkurzacz-MCD" = "C

rogram FilesOdkurzaczodk_mcd.exe" ["Franmo Software"]

HKLMSoftwareMicrosoftWindowsCurrentVersionRun {++}
"SkyTel" = "SkyTel.EXE" ["Realtek Semiconductor Corp."]
"RemoteControl" = ""C