Nieoprzerwanie otrzymuje lipne(mam nadzieję) komunikaty o wirusach, IE przekierowuje mi na strone http://aprotectservice.com/
mks wykrył tylko: Trojan.Vundo.Q, nie potrafi go usunąć.
Proszę o sprawdzenie loga i pomoc w usunięciu trojana.
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} “user32.dll” = “C:\Program Files\Video AX Object\bpmon.exe” [null data] “rare” = “C:\Program Files\Video AX Object\smmain.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Cpqset” = “C:\Program Files\HPQ\Default Settings\cpqset.exe” [null data] “SynTPEnh” = “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [“Synaptics, Inc.”] “WatchDog” = “C:\Program Files\InterVideo\DVD Check\DVDCheck.exe” [“InterVideo Inc.”] “igfxtray” = “C:\WINDOWS\system32\igfxtray.exe” [“Intel Corporation”] “igfxhkcmd” = “C:\WINDOWS\system32\hkcmd.exe” [“Intel Corporation”] “igfxpers” = “C:\WINDOWS\system32\igfxpers.exe” [“Intel Corporation”] “hpWirelessAssistant” = “C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe” [“Hewlett-Packard Development Company, L.P.”] “SoundMAX” = “C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray” [“Analog Devices, Inc.”] “IAAnotif” = “C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe” [“Intel Corporation”] “HP Software Update” = “C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”] “SoundMAXPnP” = “C:\Program Files\Analog Devices\Core\smax4pnp.exe” [“Analog Devices, Inc.”] “PTHOSTTR” = “C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start” [“Hewlett-Packard Development Company, L.P.”] “CognizanceTS” = “rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule” [MS] “QlbCtrl” = “C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start” “NeroCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}(Default) = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {D34F5D71-99E4-4D96-91CA-F4104F69B8AE}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Video AX Object\bpvol.dll” [null data] {DF21F1DB-80C6-11D3-9483-B03D0EC10000}(Default) = (no title provided) -> {HKLM…CLSID} = “HP Credential Manager for ProtectTools” \InProcServer32(Default) = “C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll” [“Infineon Technologies AG”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{6af09ec9-b429-11d4-a1fb-0090960218cb}” = “My Bluetooth Places” -> {HKLM…CLSID} = “Moje miejsca interfejsu Bluetooth” \InProcServer32(Default) = “C:\WINDOWS\system32\btneighborhood.dll” [“Broadcom Corporation.”] “{666C7831-A9B6-4AB4-94ED-DC238C81E925}” = “Document Manager (Context Menu)” -> {HKLM…CLSID} = “Document Manager (Shell Context Menu)” \InProcServer32(Default) = “C:\Program Files\HPQ\IAM\Bin\SFSShell.dll” [“Cognizance Corporation”] “{666C7832-A9B6-4AB4-94ED-DC238C81E925}” = “Document Manager (File Properties)” -> {HKLM…CLSID} = “Document Manager (Shell File Properties)” \InProcServer32(Default) = “C:\Program Files\HPQ\IAM\Bin\SFSShell.dll” [“Cognizance Corporation”] “{666C7835-A9B6-4AB4-94ED-DC238C81E925}” = “Document Manager (Drive Properties)” -> {HKLM…CLSID} = “Document Manager (Shell Drive Properties)” \InProcServer32(Default) = “C:\Program Files\HPQ\IAM\Bin\SFSShell.dll” [“Cognizance Corporation”] “{E08BF9C5-191E-4B15-8F67-2622B4DB5580}” = “PSD Shell Extension” -> {HKLM…CLSID} = “PSDShCtrl Class” \InProcServer32(Default) = “C:\Program Files\ProtectTools\Embedded Security Software\PSDShExt.dll” [“Infineon Technologies AG”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play” -> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play” \InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ <> “{4233ac08-a2c4-4742-a0b4-83719613d62c}” = “grassily” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\ilmpjy.dll” [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> IfxWlxEN\DLLName = “IfxWlxEN.dll” [“Infineon Technologies AG”] <> igfxcui\DLLName = “igfxdev.dll” [“Intel Corporation”] <> OneCard\DLLName = “C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll” [“Cognizance Corporation”] HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\0\ DisplayName = “Default Domain Policy” 0\ -> launches: “\ens.pl\sysvol\ens.pl\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Scripts\Startup\LocalAdmins.bat” [** WMI GetObject error **] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ APSDShExt(Default) = “{E08BF9C5-191E-4B15-8F67-2622B4DB5580}” -> {HKLM…CLSID} = “PSDShCtrl Class” \InProcServer32(Default) = “C:\Program Files\ProtectTools\Embedded Security Software\PSDShExt.dll” [“Infineon Technologies AG”] Document Manager(Default) = “{666C7831-A9B6-4AB4-94ED-DC238C81E925}” -> {HKLM…CLSID} = “Document Manager (Shell Context Menu)” \InProcServer32(Default) = “C:\Program Files\HPQ\IAM\Bin\SFSShell.dll” [“Cognizance Corporation”] PowerArchiver(Default) = “{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}” -> {HKLM…CLSID} = “PowerArchiver Shell Extensions” \InProcServer32(Default) = “C:\Program Files\PowerArchiver\PASHLEXT.DLL” [“eFront Media, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ Document Manager(Default) = “{666C7831-A9B6-4AB4-94ED-DC238C81E925}” -> {HKLM…CLSID} = “Document Manager (Shell Context Menu)” \InProcServer32(Default) = “C:\Program Files\HPQ\IAM\Bin\SFSShell.dll” [“Cognizance Corporation”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ APSDShExt(Default) = “{E08BF9C5-191E-4B15-8F67-2622B4DB5580}” -> {HKLM…CLSID} = “PSDShCtrl Class” \InProcServer32(Default) = “C:\Program Files\ProtectTools\Embedded Security Software\PSDShExt.dll” [“Infineon Technologies AG”] PowerArchiver(Default) = “{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}” -> {HKLM…CLSID} = “PowerArchiver Shell Extensions” \InProcServer32(Default) = “C:\Program Files\PowerArchiver\PASHLEXT.DLL” [“eFront Media, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\HP Cityscape.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\HP Cityscape.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “emiekoc” & “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “BTTray” -> shortcut to: “C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe” [“Broadcom Corporation.”] “DVD Check” -> shortcut to: “C:\Program Files\InterVideo\DVD Check\DVDCheck.exe” [“InterVideo Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] “{F0993251-2512-4710-AF6E-0A13EA199D02}” -> {HKLM…CLSID} = “Protection Bar” \InProcServer32(Default) = “C:\Program Files\Video AX Object\splug.dll” [null data] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] “{F0993251-2512-4710-AF6E-0A13EA199D02}” = (no title provided) -> {HKLM…CLSID} = “Protection Bar” \InProcServer32(Default) = “C:\Program Files\Video AX Object\splug.dll” [null data] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{F0993251-2512-4710-AF6E-0A13EA199D02}(Default) = “Protection Bar” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Video AX Object\splug.dll” [null data] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {CCA281CA-C863-46EF-9331-5C8D4460577F}\ “ButtonText” = “@btrez.dll ,-4015” “MenuText” = “@btrez.dll ,-4017” “Script” = “C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm” [null data] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): [strings]: START_PAGE_URL=http://www.hp.com Missing lines (compared with English-language version): [strings]: 1 line HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = “*g” (unwritable string) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Bluetooth Service, btwdins, “C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe” [“Broadcom Corporation.”] hpqwmiex, hpqwmiex, “C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe” [“Hewlett-Packard Development Company, L.P.”] Intel® Matrix Storage Event Monitor, IAANTMon, “C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe” [“Intel Corporation”] Local Communication Channel, ASChannel, “C:\WINDOWS\System32\svchost.exe -k Cognizance” {“C:\Program Files\HPQ\IAM\Bin\ASChnl.dll” [“Cognizance Corporation”]} Personal Secure Drive Service, PersonalSecureDriveService, ““C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE”” [“Infineon Technologies AG”] Radia Management Agent, rma, “C:/Novadigm/ManagementAgent/nvdkit.exe” [null data] Security Platform Management Service, IFXSpMgtSrv, “C:\WINDOWS\system32\IFXSPMGT.exe” [“Infineon Technologies AG”] Trusted Platform Core Service, IFXTCS, “C:\WINDOWS\system32\IFXTCS.exe” [“Infineon Technologies AG”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ CPCA Language Monitor2\Driver = “AUCPLMNT.DLL” [“CANON INC.”] HP Master Monitor\Driver = “HPBMMON.DLL” [“Hewlett-Packard”] HP Mobile Printing Monitor\Driver = “HPMPMW.DLL” [“Hewlett-Packard”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] Port drukarki interfejsu Bluetooth\Driver = “bthcrp.dll” [“Broadcom Corporation.”] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 26 seconds, including 6 seconds for message boxes)
Logfile of HijackThis v1.99.1 Scan saved at 09:51:06, on 2007-05-07 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\HPQ\IAM\bin\asghost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Video AX Object\bpmon.exe C:\Program Files\Video AX Object\smmain.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Video AX Object\smmon.exe C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Video AX Object\bpmini.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\WINDOWS\system32\IFXSPMGT.exe C:\WINDOWS\system32\IFXTCS.exe C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE C:\Novadigm\ManagementAgent\nvdkit.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE D:\Instalki\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gazeta.pl/0,0.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {D34F5D71-99E4-4D96-91CA-F4104F69B8AE} - C:\Program Files\Video AX Object\bpvol.dll O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Protection Bar - {F0993251-2512-4710-AF6E-0A13EA199D02} - C:\Program Files\Video AX Object\splug.dll O4 - HKLM…\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O4 - HKLM…\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM…\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM…\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM…\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM…\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start O4 - HKLM…\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule O4 - HKLM…\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll ,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra ‘Tools’ menuitem: @btrez.dll ,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com O15 - Trusted Zone: http://ens-dcbkp.ens.pl O16 - DPF: {20DD1B9E-87C4-11D1-8BE3-0000F8754DA1} (Microsoft Date and Time Picker Control, version 6.0) - http://ens-dcbkp.ens.pl/travel/plugins/mscomct2.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://217.173.193.218/activex/AxisCamControl.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://rvi.se.ericsson.net/dana-cached … tupSP1.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ens.pl O17 - HKLM\Software…\Telephony: DomainName = ens.pl O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ens.pl O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ens.pl O20 - Winlogon Notify: IfxWlxEN - C:\WINDOWS\SYSTEM32\IfxWlxEN.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE O23 - Service: Radia Management Agent (rma) - Unknown owner - C:/Novadigm/ManagementAgent/nvdkit.exe
Joan
(Joan Sunshine)
7 Maj 2007 10:33
#2
Użyj SmitFraudFix z opcji 2 w trybie awaryjnym i po tym nowe logi a także raport ze SmitFraudFix – plik c:\rapport.txt.
Nie wiem czy dobrze zrobiłem, ale przypomniałem sobie o funkcji przywracaniu systemu… Moje kłopoty zaczeły sie od pobrania kodeków, wiec wybrałem wcześniejszy punkt przywracania :?
Na razie nie widzę niepokojących objawów, zapodam skanowanie.
Dzięki Joan, co o tym myślisz?
Joan
(Joan Sunshine)
7 Maj 2007 11:22
#4
Wrzuć proszę nowe logi, bo infekcja w ten sposób nie została usunięta
mks wykrył jeden zainfekowany plik (\system32\ilmpjy.dll), ale tym razem go usunął
logi po:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Cpqset” = “C:\Program Files\HPQ\Default Settings\cpqset.exe” [null data] “SynTPEnh” = “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [“Synaptics, Inc.”] “WatchDog” = “C:\Program Files\InterVideo\DVD Check\DVDCheck.exe” [“InterVideo Inc.”] “igfxtray” = “C:\WINDOWS\system32\igfxtray.exe” [“Intel Corporation”] “igfxhkcmd” = “C:\WINDOWS\system32\hkcmd.exe” [“Intel Corporation”] “igfxpers” = “C:\WINDOWS\system32\igfxpers.exe” [“Intel Corporation”] “hpWirelessAssistant” = “C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe” [“Hewlett-Packard Development Company, L.P.”] “SoundMAX” = “C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray” [“Analog Devices, Inc.”] “IAAnotif” = “C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe” [“Intel Corporation”] “HP Software Update” = “C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”] “SoundMAXPnP” = “C:\Program Files\Analog Devices\Core\smax4pnp.exe” [“Analog Devices, Inc.”] “PTHOSTTR” = “C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start” [“Hewlett-Packard Development Company, L.P.”] “CognizanceTS” = “rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule” [MS] “QlbCtrl” = “C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start” “NeroCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}(Default) = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {DF21F1DB-80C6-11D3-9483-B03D0EC10000}(Default) = (no title provided) -> {HKLM…CLSID} = “HP Credential Manager for ProtectTools” \InProcServer32(Default) = “C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll” [“Infineon Technologies AG”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{6af09ec9-b429-11d4-a1fb-0090960218cb}” = “My Bluetooth Places” -> {HKLM…CLSID} = “Moje miejsca interfejsu Bluetooth” \InProcServer32(Default) = “C:\WINDOWS\system32\btneighborhood.dll” [“Broadcom Corporation.”] “{666C7831-A9B6-4AB4-94ED-DC238C81E925}” = “Document Manager (Context Menu)” -> {HKLM…CLSID} = “Document Manager (Shell Context Menu)” \InProcServer32(Default) = “C:\Program Files\HPQ\IAM\Bin\SFSShell.dll” [“Cognizance Corporation”] “{666C7832-A9B6-4AB4-94ED-DC238C81E925}” = “Document Manager (File Properties)” -> {HKLM…CLSID} = “Document Manager (Shell File Properties)” \InProcServer32(Default) = “C:\Program Files\HPQ\IAM\Bin\SFSShell.dll” [“Cognizance Corporation”] “{666C7835-A9B6-4AB4-94ED-DC238C81E925}” = “Document Manager (Drive Properties)” -> {HKLM…CLSID} = “Document Manager (Shell Drive Properties)” \InProcServer32(Default) = “C:\Program Files\HPQ\IAM\Bin\SFSShell.dll” [“Cognizance Corporation”] “{E08BF9C5-191E-4B15-8F67-2622B4DB5580}” = “PSD Shell Extension” -> {HKLM…CLSID} = “PSDShCtrl Class” \InProcServer32(Default) = “C:\Program Files\ProtectTools\Embedded Security Software\PSDShExt.dll” [“Infineon Technologies AG”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play” -> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play” \InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> IfxWlxEN\DLLName = “IfxWlxEN.dll” [“Infineon Technologies AG”] <> igfxcui\DLLName = “igfxdev.dll” [“Intel Corporation”] <> OneCard\DLLName = “C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll” [“Cognizance Corporation”] HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\0\ DisplayName = “Default Domain Policy” 0\ -> launches: “\ens.pl\sysvol\ens.pl\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Scripts\Startup\LocalAdmins.bat” [** WMI GetObject error **] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ APSDShExt(Default) = “{E08BF9C5-191E-4B15-8F67-2622B4DB5580}” -> {HKLM…CLSID} = “PSDShCtrl Class” \InProcServer32(Default) = “C:\Program Files\ProtectTools\Embedded Security Software\PSDShExt.dll” [“Infineon Technologies AG”] Document Manager(Default) = “{666C7831-A9B6-4AB4-94ED-DC238C81E925}” -> {HKLM…CLSID} = “Document Manager (Shell Context Menu)” \InProcServer32(Default) = “C:\Program Files\HPQ\IAM\Bin\SFSShell.dll” [“Cognizance Corporation”] PowerArchiver(Default) = “{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}” -> {HKLM…CLSID} = “PowerArchiver Shell Extensions” \InProcServer32(Default) = “C:\Program Files\PowerArchiver\PASHLEXT.DLL” [“eFront Media, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ Document Manager(Default) = “{666C7831-A9B6-4AB4-94ED-DC238C81E925}” -> {HKLM…CLSID} = “Document Manager (Shell Context Menu)” \InProcServer32(Default) = “C:\Program Files\HPQ\IAM\Bin\SFSShell.dll” [“Cognizance Corporation”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ APSDShExt(Default) = “{E08BF9C5-191E-4B15-8F67-2622B4DB5580}” -> {HKLM…CLSID} = “PSDShCtrl Class” \InProcServer32(Default) = “C:\Program Files\ProtectTools\Embedded Security Software\PSDShExt.dll” [“Infineon Technologies AG”] PowerArchiver(Default) = “{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}” -> {HKLM…CLSID} = “PowerArchiver Shell Extensions” \InProcServer32(Default) = “C:\Program Files\PowerArchiver\PASHLEXT.DLL” [“eFront Media, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\HP Cityscape.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\HP Cityscape.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “emiekoc” & “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “BTTray” -> shortcut to: “C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe” [“Broadcom Corporation.”] “DVD Check” -> shortcut to: “C:\Program Files\InterVideo\DVD Check\DVDCheck.exe” [“InterVideo Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {CCA281CA-C863-46EF-9331-5C8D4460577F}\ “ButtonText” = “@btrez.dll ,-4015” “MenuText” = “@btrez.dll ,-4017” “Script” = “C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm” [null data] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): [strings]: START_PAGE_URL=http://www.hp.com Missing lines (compared with English-language version): [strings]: 1 line HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = “*_” (unwritable string) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Bluetooth Service, btwdins, “C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe” [“Broadcom Corporation.”] hpqwmiex, hpqwmiex, “C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe” [“Hewlett-Packard Development Company, L.P.”] Intel® Matrix Storage Event Monitor, IAANTMon, “C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe” [“Intel Corporation”] Local Communication Channel, ASChannel, “C:\WINDOWS\System32\svchost.exe -k Cognizance” {“C:\Program Files\HPQ\IAM\Bin\ASChnl.dll” [“Cognizance Corporation”]} Personal Secure Drive Service, PersonalSecureDriveService, ““C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE”” [“Infineon Technologies AG”] Radia Management Agent, rma, “C:/Novadigm/ManagementAgent/nvdkit.exe” [null data] Security Platform Management Service, IFXSpMgtSrv, “C:\WINDOWS\system32\IFXSPMGT.exe” [“Infineon Technologies AG”] Trusted Platform Core Service, IFXTCS, “C:\WINDOWS\system32\IFXTCS.exe” [“Infineon Technologies AG”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ CPCA Language Monitor2\Driver = “AUCPLMNT.DLL” [“CANON INC.”] HP Master Monitor\Driver = “HPBMMON.DLL” [“Hewlett-Packard”] HP Mobile Printing Monitor\Driver = “HPMPMW.DLL” [“Hewlett-Packard”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] Port drukarki interfejsu Bluetooth\Driver = “bthcrp.dll” [“Broadcom Corporation.”] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 27 seconds, including 5 seconds for message boxes)
Logfile of HijackThis v1.99.1 Scan saved at 15:06:18, on 2007-05-07 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\WINDOWS\system32\IFXSPMGT.exe C:\WINDOWS\system32\IFXTCS.exe C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE C:\Novadigm\ManagementAgent\nvdkit.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\HPQ\IAM\bin\asghost.exe C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE C:\Program Files\Internet Explorer\iexplore.exe D:\Instalki\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O4 - HKLM…\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM…\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM…\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM…\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM…\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start O4 - HKLM…\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule O4 - HKLM…\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll ,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra ‘Tools’ menuitem: @btrez.dll ,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com O15 - Trusted Zone: http://ens-dcbkp.ens.pl O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {20DD1B9E-87C4-11D1-8BE3-0000F8754DA1} (Microsoft Date and Time Picker Control, version 6.0) - http://ens-dcbkp.ens.pl/travel/plugins/mscomct2.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://217.173.193.218/activex/AxisCamControl.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://rvi.se.ericsson.net/dana-cached … tupSP1.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ens.pl O17 - HKLM\Software…\Telephony: DomainName = ens.pl O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ens.pl O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ens.pl O20 - Winlogon Notify: IfxWlxEN - C:\WINDOWS\SYSTEM32\IfxWlxEN.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE O23 - Service: Radia Management Agent (rma) - Unknown owner - C:/Novadigm/ManagementAgent/nvdkit.exe
Złączono Posta : 07.05.2007 (Pon) 15:26
mks wykrył jeden zainfekowany plik (\system32\ilmpjy.dll), ale tym razem go usunął
logi po:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Cpqset” = “C:\Program Files\HPQ\Default Settings\cpqset.exe” [null data] “SynTPEnh” = “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [“Synaptics, Inc.”] “WatchDog” = “C:\Program Files\InterVideo\DVD Check\DVDCheck.exe” [“InterVideo Inc.”] “igfxtray” = “C:\WINDOWS\system32\igfxtray.exe” [“Intel Corporation”] “igfxhkcmd” = “C:\WINDOWS\system32\hkcmd.exe” [“Intel Corporation”] “igfxpers” = “C:\WINDOWS\system32\igfxpers.exe” [“Intel Corporation”] “hpWirelessAssistant” = “C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe” [“Hewlett-Packard Development Company, L.P.”] “SoundMAX” = “C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray” [“Analog Devices, Inc.”] “IAAnotif” = “C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe” [“Intel Corporation”] “HP Software Update” = “C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”] “SoundMAXPnP” = “C:\Program Files\Analog Devices\Core\smax4pnp.exe” [“Analog Devices, Inc.”] “PTHOSTTR” = “C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start” [“Hewlett-Packard Development Company, L.P.”] “CognizanceTS” = “rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule” [MS] “QlbCtrl” = “C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start” “NeroCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}(Default) = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {DF21F1DB-80C6-11D3-9483-B03D0EC10000}(Default) = (no title provided) -> {HKLM…CLSID} = “HP Credential Manager for ProtectTools” \InProcServer32(Default) = “C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll” [“Infineon Technologies AG”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{6af09ec9-b429-11d4-a1fb-0090960218cb}” = “My Bluetooth Places” -> {HKLM…CLSID} = “Moje miejsca interfejsu Bluetooth” \InProcServer32(Default) = “C:\WINDOWS\system32\btneighborhood.dll” [“Broadcom Corporation.”] “{666C7831-A9B6-4AB4-94ED-DC238C81E925}” = “Document Manager (Context Menu)” -> {HKLM…CLSID} = “Document Manager (Shell Context Menu)” \InProcServer32(Default) = “C:\Program Files\HPQ\IAM\Bin\SFSShell.dll” [“Cognizance Corporation”] “{666C7832-A9B6-4AB4-94ED-DC238C81E925}” = “Document Manager (File Properties)” -> {HKLM…CLSID} = “Document Manager (Shell File Properties)” \InProcServer32(Default) = “C:\Program Files\HPQ\IAM\Bin\SFSShell.dll” [“Cognizance Corporation”] “{666C7835-A9B6-4AB4-94ED-DC238C81E925}” = “Document Manager (Drive Properties)” -> {HKLM…CLSID} = “Document Manager (Shell Drive Properties)” \InProcServer32(Default) = “C:\Program Files\HPQ\IAM\Bin\SFSShell.dll” [“Cognizance Corporation”] “{E08BF9C5-191E-4B15-8F67-2622B4DB5580}” = “PSD Shell Extension” -> {HKLM…CLSID} = “PSDShCtrl Class” \InProcServer32(Default) = “C:\Program Files\ProtectTools\Embedded Security Software\PSDShExt.dll” [“Infineon Technologies AG”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play” -> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play” \InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> IfxWlxEN\DLLName = “IfxWlxEN.dll” [“Infineon Technologies AG”] <> igfxcui\DLLName = “igfxdev.dll” [“Intel Corporation”] <> OneCard\DLLName = “C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll” [“Cognizance Corporation”] HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\0\ DisplayName = “Default Domain Policy” 0\ -> launches: “\ens.pl\sysvol\ens.pl\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Scripts\Startup\LocalAdmins.bat” [** WMI GetObject error **] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ APSDShExt(Default) = “{E08BF9C5-191E-4B15-8F67-2622B4DB5580}” -> {HKLM…CLSID} = “PSDShCtrl Class” \InProcServer32(Default) = “C:\Program Files\ProtectTools\Embedded Security Software\PSDShExt.dll” [“Infineon Technologies AG”] Document Manager(Default) = “{666C7831-A9B6-4AB4-94ED-DC238C81E925}” -> {HKLM…CLSID} = “Document Manager (Shell Context Menu)” \InProcServer32(Default) = “C:\Program Files\HPQ\IAM\Bin\SFSShell.dll” [“Cognizance Corporation”] PowerArchiver(Default) = “{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}” -> {HKLM…CLSID} = “PowerArchiver Shell Extensions” \InProcServer32(Default) = “C:\Program Files\PowerArchiver\PASHLEXT.DLL” [“eFront Media, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ Document Manager(Default) = “{666C7831-A9B6-4AB4-94ED-DC238C81E925}” -> {HKLM…CLSID} = “Document Manager (Shell Context Menu)” \InProcServer32(Default) = “C:\Program Files\HPQ\IAM\Bin\SFSShell.dll” [“Cognizance Corporation”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ APSDShExt(Default) = “{E08BF9C5-191E-4B15-8F67-2622B4DB5580}” -> {HKLM…CLSID} = “PSDShCtrl Class” \InProcServer32(Default) = “C:\Program Files\ProtectTools\Embedded Security Software\PSDShExt.dll” [“Infineon Technologies AG”] PowerArchiver(Default) = “{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}” -> {HKLM…CLSID} = “PowerArchiver Shell Extensions” \InProcServer32(Default) = “C:\Program Files\PowerArchiver\PASHLEXT.DLL” [“eFront Media, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\HP Cityscape.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\HP Cityscape.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “emiekoc” & “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “BTTray” -> shortcut to: “C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe” [“Broadcom Corporation.”] “DVD Check” -> shortcut to: “C:\Program Files\InterVideo\DVD Check\DVDCheck.exe” [“InterVideo Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {CCA281CA-C863-46EF-9331-5C8D4460577F}\ “ButtonText” = “@btrez.dll ,-4015” “MenuText” = “@btrez.dll ,-4017” “Script” = “C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm” [null data] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): [strings]: START_PAGE_URL=http://www.hp.com Missing lines (compared with English-language version): [strings]: 1 line HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = “*_” (unwritable string) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Bluetooth Service, btwdins, “C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe” [“Broadcom Corporation.”] hpqwmiex, hpqwmiex, “C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe” [“Hewlett-Packard Development Company, L.P.”] Intel® Matrix Storage Event Monitor, IAANTMon, “C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe” [“Intel Corporation”] Local Communication Channel, ASChannel, “C:\WINDOWS\System32\svchost.exe -k Cognizance” {“C:\Program Files\HPQ\IAM\Bin\ASChnl.dll” [“Cognizance Corporation”]} Personal Secure Drive Service, PersonalSecureDriveService, ““C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE”” [“Infineon Technologies AG”] Radia Management Agent, rma, “C:/Novadigm/ManagementAgent/nvdkit.exe” [null data] Security Platform Management Service, IFXSpMgtSrv, “C:\WINDOWS\system32\IFXSPMGT.exe” [“Infineon Technologies AG”] Trusted Platform Core Service, IFXTCS, “C:\WINDOWS\system32\IFXTCS.exe” [“Infineon Technologies AG”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ CPCA Language Monitor2\Driver = “AUCPLMNT.DLL” [“CANON INC.”] HP Master Monitor\Driver = “HPBMMON.DLL” [“Hewlett-Packard”] HP Mobile Printing Monitor\Driver = “HPMPMW.DLL” [“Hewlett-Packard”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] Port drukarki interfejsu Bluetooth\Driver = “bthcrp.dll” [“Broadcom Corporation.”] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 27 seconds, including 5 seconds for message boxes)
Logfile of HijackThis v1.99.1 Scan saved at 15:06:18, on 2007-05-07 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\WINDOWS\system32\IFXSPMGT.exe C:\WINDOWS\system32\IFXTCS.exe C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE C:\Novadigm\ManagementAgent\nvdkit.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\HPQ\IAM\bin\asghost.exe C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE C:\Program Files\Internet Explorer\iexplore.exe D:\Instalki\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O4 - HKLM…\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM…\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM…\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM…\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM…\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start O4 - HKLM…\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule O4 - HKLM…\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll ,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra ‘Tools’ menuitem: @btrez.dll ,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com O15 - Trusted Zone: http://ens-dcbkp.ens.pl O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {20DD1B9E-87C4-11D1-8BE3-0000F8754DA1} (Microsoft Date and Time Picker Control, version 6.0) - http://ens-dcbkp.ens.pl/travel/plugins/mscomct2.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://217.173.193.218/activex/AxisCamControl.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://rvi.se.ericsson.net/dana-cached … tupSP1.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ens.pl O17 - HKLM\Software…\Telephony: DomainName = ens.pl O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ens.pl O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ens.pl O20 - Winlogon Notify: IfxWlxEN - C:\WINDOWS\SYSTEM32\IfxWlxEN.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE O23 - Service: Radia Management Agent (rma) - Unknown owner - C:/Novadigm/ManagementAgent/nvdkit.exe
Gutek
(Gutek)
7 Maj 2007 14:40
#6