o matko ja taki stary a tu taka matematyka ale jakos zmeczyłem
hije
Logfile of HijackThis v1.99.1
Scan saved at 16:43:21, on 2007-01-11
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\{5088595B-06C4-1045-0131-020308020030}\Update.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Kalendarz XP\Kalendarz.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\PAWEŁ\USTAWI~1\Temp\Rar$EX00.152\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [{5088595B-06C5-1045-0131-020308020030}] "C:\Program Files\Common Files\{5088595B-06C5-1045-0131-020308020030}\Update.exe" te-110-12-0000273
O4 - HKLM\..\Run: [{5088595B-06C4-1045-0131-020308020030}] "C:\Program Files\Common Files\{5088595B-06C4-1045-0131-020308020030}\Update.exe" te-110-12-0000273
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://bezpieczenstwo.onet.pl/skaner/ArcaOnline.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Seekmo/ie/bridge-c567.cab?0407451f125bb4702ef22c41b34bd5979c55160096913529835d16a72533d83b2e3f66b7061404865d208e54adc74b1fca7477cb89ffde9ea6bac6a5dfd81ba8c3f1f16ecc:155ff7b6a3c39e5d13b88244eaad9a2e
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3093016-34A3-483E-B536-110D0103C6E7}: NameServer = 85.255.113.126,85.255.112.102
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.126 85.255.112.102
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.126 85.255.112.102
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.126 85.255.112.102
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)
O21 - SSODL: CDRecorder029 - {A3BC5E20-0235-1ABF-9CE1-00AA00512029} - C:\WINDOWS\system32\wvwc32.dll
O21 - SSODL: hnJmWRCAOUxG - {5088595C-FA22-F3F6-B874-057871DA2F80} - C:\WINDOWS\system32\usxgr.dll (file missing)
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service (file missing)
O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe" /service (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
i nastepne
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gxnepycs
*******************
Script file located at: \??\C:\wveyhwjx.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Driver aspi113210 unloaded successfully.
Driver COM+ Messages unloaded successfully.
Folder C:\Program Files\Common Files\{5088595B-06C5-1045-0131-020308020030} deleted successfully.
File C:\WINDOWS\system32\rpcc.dll deleted successfully.
File C:\WINDOWS\system32\usxgr.dll deleted successfully.
File C:\WINDOWS\system32\aspi113921.exe deleted successfully.
File C:\WINDOWS\system32\svchosts.exe not found!
Deletion of file C:\WINDOWS\system32\svchosts.exe failed!
Could not process line:
C:\WINDOWS\system32\svchosts.exe
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
i nastepne
Fixwareout
Last edited 1/1/2006
Post this report in the forums please
...
Prerun check
»»»»» HKLM run and Winlogon System values
C:\WINDOWS\system32\csfrf.exe will be moved to C:\WINDOWS\temp\csfrf.ren at reboot.
»»»»» System restarted
...
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4DF6F572DF8F-F03B-6584-FD6B-83419AE3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\twsmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B85D73C284C7-B929-BBB4-DC33-77666B8F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "dpid"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "pid"
...
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Searching by size/names...
»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects.
»»»»» Misc files.
C:\WINDOWS\System32\taskdir.exe
C:\WINDOWS\System32\adir.dll
»»»»» Checking for older varients covered by the Rem3 tool.
»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
"system"=""
»»»»»
Złączono Posta _: 11.01.2007 (Czw) 17:11_i jeszcze silent runners
Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]
"(Default)" = (unknown data type)
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"{5088595B-06C5-1045-0131-020308020030}" = ""C:\Program Files\Common Files\{5088595B-06C5-1045-0131-020308020030}\Update.exe" te-110-12-0000273" [file not found]
"{5088595B-06C4-1045-0131-020308020030}" = ""C:\Program Files\Common Files\{5088595B-06C4-1045-0131-020308020030}\Update.exe" te-110-12-0000273" [null data]
"IpWins" = "C:\Program Files\Ipwindows\ipwins.exe" [null data]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll" ["Alcohol Soft Development Team"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"hnJmWRCAOUxG" = "{5088595C-FA22-F3F6-B874-057871DA2F80}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\usxgr.dll" [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> rpcc\DLLName = "C:\WINDOWS\system32\rpcc.dll" [file not found]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\KAV Shared Files\AvpShlEx.dll" ["Kaspersky Labs."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\KAV Shared Files\AvpShlEx.dll" ["Kaspersky Labs."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableTaskMgr" = (REG_SZ) 1
{User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options|
Remove Task Manager}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Paweł\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]
Startup items in "Paweł" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Kalendarz XP" -> shortcut to: "C:\Program Files\Kalendarz XP\Kalendarz.exe" [null data]
Enabled Scheduled Tasks:
------------------------
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
----------
<>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 289 seconds.
---------- (total run time: 431 seconds)