LOG - ostatnio ciągla mi się coś wykrywa i to daję

Kicior · 30 Październik 2006 08:00

Witam

Ostatnio skanery antywirusowe (mój NOD i scaner Kaspersky’ego na necie) i Ewido ciągle coś wykrywa, więc proszę o sprawdzenie zarzuconego LOGa.

A i, czy usunięcie jakiejś linijki z Hijack’a definitywnie kończy sprawę wirusa/trojana/itp.?

Logfile of HijackThis v1.99.1

Scan saved at 08:58:43, on 2006-10-30

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

E:\Program Files\cFosSpeed PL\cFosSpeed.exe

E:\Program Files\Eset\nod32kui.exe

E:\Program Files\BitComet\BitComet Acceleration Patch\BitComet Acceleration Patch.exe

E:\Program Files\cFosSpeed PL\spd.exe

E:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

E:\Program Files\Agnitum\Outpost Firewall\outpost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Raxco\PerfectDisk\PDSched.exe

E:\Gadu-Gadu\gg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

E:\Downloads\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - e:\Program Files\Free Download Manager\iefdmcks.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll

O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [OutpostFeedBack] E:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup

O4 - HKLM\..\Run: [cFosSpeed] E:\Program Files\cFosSpeed PL\cFosSpeed.exe

O4 - HKLM\..\Run: [nod32kui] "E:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [BitComet Acceleration Patch] C:\Documents and Settings\All Users\Menu Start\Programy\BitComet Acceleration Patch\BitComet Acceleration Patch.lnk

O8 - Extra context menu item: Download with Internet TOOLS - E:\PROGRAM FILES\MARBIT\TOOLS\MBdownload.htm

O8 - Extra context menu item: Pobierz przez Net Transport - E:\Program Files\Xi\NetTransport 2\NTAddLink.html

O8 - Extra context menu item: Pobierz wszystko przez Net Transport - E:\Program Files\Xi\NetTransport 2\NTAddList.html

O8 - Extra context menu item: Pobierz wszystko z Free Download Manager - file://e:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Pobierz z Free Download Manager - file://e:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: Pobierz zaznaczenie z Free Download Manager - file://e:\Program Files\Free Download Manager\dlselected.htm

O9 - Extra button: Szybkie dostosowywanie programu Outpost Firewall Pro - {44627E97-789B-40d4-B5C2-58BD171129A1} - E:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll

O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll

O9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135805413188

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - AppInit_DLLs: e:\progra~1\agnitum\outpos~1.0\wl_hook.dll

O20 - Winlogon Notify: wingmo32 - wingmo32.dll (file missing)

O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - E:\Program Files\cFosSpeed PL\spd.exe" -service (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NBService - Nero AG - E:\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - E:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - E:\Program Files\Agnitum\Outpost Firewall\outpost.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

Pozdrawiam, Kicior.

Myszak · 30 Październik 2006 11:36

Skasuj.

Daj log z Silent Runners – tu masz opis.

podaj lokalizacje.

nie zawsze …

Kicior · 30 Październik 2006 13:57

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

"{1B6317E6-05F9-1045-0529-020308020030}" = ""C:\Program Files\Common Files\{1B6317E6-05F9-1045-0529-020308020030}\Update.exe" mc-110-12-0000272" [file not found]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Zasobnik systemowy" = "SysTray.Exe" [MS]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"OutpostFeedBack" = "E:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup" ["Agnitum Ltd."]

"cFosSpeed" = "E:\Program Files\cFosSpeed PL\cFosSpeed.exe" ["cFos Software GmbH"]

"nod32kui" = ""E:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{CC59E0F9-7E43-44FA-9FAA-8377850BF205}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "FDMIECookiesBHO Class"

                   \InProcServer32\(Default) = "e:\Program Files\Free Download Manager\iefdmcks.dll" [null data]

{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "EpsonToolBandKicker Class"

                   \InProcServer32\(Default) = "C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll" ["SEIKO EPSON CORPORATION"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office\OLKFSTUB.DLL" [MS]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  -> {HKLM...CLSID} = "Shell Search Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"

  -> {HKLM...CLSID} = "TuneUp Theme Extension"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\uxtuneup.dll" ["TuneUp Software GmbH"]

"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"

  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"

                   \InProcServer32\(Default) = "E:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll" ["TuneUp Software GmbH"]

"{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare"

  -> {HKLM...CLSID} = "NetWare Objects"

                   \InProcServer32\(Default) = "nwprovau.dll" [MS]

"{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"

  -> {HKLM...CLSID} = "NetWare UNC Folder Menu"

                   \InProcServer32\(Default) = "nwprovau.dll" [MS]

"{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"

  -> {HKLM...CLSID} = "NetWare Hood Verbs"

                   \InProcServer32\(Default) = "nwprovau.dll" [MS]

"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "E:\Program Files\Eset\nodshex.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"

  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

                   \InProcServer32\(Default) = "E:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

INFECTION WARNING! "AppInit_DLLs" = " e:\progra~1\agnitum\outpos~1.0\wl_hook.dll" [file not found]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! wingmo32\DLLName = "wingmo32.dll" [file not found]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"

  -> {HKLM...CLSID} = "7-Zip Shell Extension"

                   \InProcServer32\(Default) = "E:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"

  -> {HKLM...CLSID} = "Outpost.ASWShellExt Component"

                   \InProcServer32\(Default) = "E:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]

ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "E:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "E:\Program Files\Eset\nodshex.dll" [null data]

TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"

  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"

                   \InProcServer32\(Default) = "E:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll" ["TuneUp Software GmbH"]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"

  -> {HKLM...CLSID} = "7-Zip Shell Extension"

                   \InProcServer32\(Default) = "E:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"

  -> {HKLM...CLSID} = "Outpost.ASWShellExt Component"

                   \InProcServer32\(Default) = "E:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]

ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "E:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"

  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"

                   \InProcServer32\(Default) = "E:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll" ["TuneUp Software GmbH"]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"

  -> {HKLM...CLSID} = "Outpost.ASWShellExt Component"

                   \InProcServer32\(Default) = "E:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]

NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}"

  -> {HKLM...CLSID} = "NetWare UNC Folder Menu"

                   \InProcServer32\(Default) = "nwprovau.dll" [MS]

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "E:\Program Files\Eset\nodshex.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Crocket\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]



Enabled Scheduled Tasks:

------------------------


"Rozpoczęcie aplikacji dostrajania" -> launches: "walign" [file not found]

"1-Click Maintenance" -> launches: "E:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 28

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 27

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}"

  -> {HKLM...CLSID} = "EPSON Web-To-Page"

                   \InProcServer32\(Default) = "C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll" ["SEIKO EPSON CORPORATION"]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}" = (no title provided)

  -> {HKLM...CLSID} = "EPSON Web-To-Page"

                   \InProcServer32\(Default) = "C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll" ["SEIKO EPSON CORPORATION"]

"{0D704FAD-66E9-4F0A-BFED-4F665770DDB3}" = (no title provided)

  -> {HKLM...CLSID} = "&Tłumaczenie"

                   \InProcServer32\(Default) = "C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll" ["Techland"]


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{175556B1-4D91-4E9A-9C4B-D6888D5DEE6C}\(Default) = "&Ramka Tłumaczenia"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll" ["Techland"]


HKLM\Software\Classes\CLSID\{A1A7E22D-1587-4230-8F16-081C68D21448}\(Default) = "Szybkie dostosowywanie programu"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "E:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll" ["Agnitum Ltd."]


HKLM\Software\Classes\CLSID\{D553F157-2AB0-4B46-98D2-7BA7CA418491}\(Default) = "&Słownik Podręczny"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll" ["Techland"]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{44627E97-789B-40D4-B5C2-58BD171129A1}\

"ButtonText" = "Szybkie dostosowywanie programu Outpost Firewall Pro"


{B46B0919-62BA-4D99-A5C4-916B57A6805C}\

"MenuText" = "@C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103"

"CLSIDExtension" = "{B46B0919-62BA-4D99-A5C4-916B57A6805C}"

  -> {HKLM...CLSID} = "InternetTranslatorProperties Class"

                   \InProcServer32\(Default) = "C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll" ["Techland"]


{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Miscellaneous IE Hijack Points

------------------------------


HKLM\Software\Microsoft\Internet Explorer\AboutURLs\


Missing lines (compared with English-language version):

HIJACK WARNING! "TuneUp" = "file://C|/WINDOWS/Profiles/All Users/Dane aplikacji/TuneUp Software/Common/base.css" [file not found]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


cFosSpeed System Service, cFosSpeedS, ""E:\Program Files\cFosSpeed PL\spd.exe" -service" ["cFos Software GmbH"]

NOD32 Kernel Service, NOD32krn, ""E:\Program Files\Eset\nod32krn.exe"" ["Eset "]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

Outpost Firewall Service, OutpostFirewall, "E:\Program Files\Agnitum\Outpost Firewall\outpost.exe /service" ["Agnitum Ltd."]

PDScheduler, PDSched, ""C:\Program Files\Raxco\PerfectDisk\PDSched.exe"" ["Raxco Software, Inc."]

TuneUp Design Expansion, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]}

Usługa klienta dla systemu NetWare, NWCWorkstation, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\nwwks.dll" [MS]}

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

EPSON Stylus DX3800 Series 2KMonitor5E\Driver = "E_FLMACE.DLL" ["SEIKO EPSON CORPORATION"]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 51 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 23 seconds.

---------- (total run time: 97 seconds)

Te lokalizacje zaraz podam, tylko się przeskanuje, ale sam odkryłem proces WDFMRG.exe - jak narazie po włąćzeniu komputera usuwałem to cały czas z Menedżera Zadań, ale w autostarcie nic nie robiłem.

http://www.liutilities.com/products/wintaskspro/processlibrary/wdfmrg/ - tu jest opis tego syfu…

adam9870 · 30 Październik 2006 14:05

Proszę otworzyć Notatnik i wkleić w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG i uruchom go w trybie awaryjnym.

I czekamy na dokładne ścieżki do znalezionych plików. Najlepiej wklej raport ze skanowania.

Kicior · 30 Październik 2006 14:57

E:\Downloads\vccodec.589.exe/data0007 Zainfekowanych: Trojan-Downloader.Win32.Zlob.ara

E:\Downloads\vccodec.589.exe NSIS: zainfekowany - 1

E:\Downloads\vccodec.589.exe UPX: zainfekowany - 1

E:\Program Files\Agnitum\Outpost Firewall\Plugins\AntiSpyware\quarantine\00000404.asw/stream/data0003 Zainfekowanych: not-a-virus:AdWare.Win32.Softomate.u pominięty

E:\Program Files\Agnitum\Outpost Firewall\Plugins\AntiSpyware\quarantine\00000404.asw/stream/data0004 Zainfekowanych: not-a-virus:AdWare.Win32.Softomate.u pominięty

E:\Program Files\Agnitum\Outpost Firewall\Plugins\AntiSpyware\quarantine\00000404.asw/stream/data0005 Zainfekowanych: not-a-virus:AdWare.Win32.Softomate.u pominięty

E:\Program Files\Agnitum\Outpost Firewall\Plugins\AntiSpyware\quarantine\00000404.asw/stream/data0007 Zainfekowanych: not-a-virus:AdWare.Win32.Softomate.u pominięty

E:\Program Files\Agnitum\Outpost Firewall\Plugins\AntiSpyware\quarantine\00000404.asw/stream Zainfekowanych: not-a-virus:AdWare.Win32.Softomate.u

E:\Program Files\Agnitum\Outpost Firewall\Plugins\AntiSpyware\quarantine\00000404.asw NSIS: zainfekowany - 5 pominięty

E:\Program Files\Agnitum\Outpost Firewall\Plugins\AntiSpyware\quarantine\00000407.asw Zainfekowanych: not-a-virus:AdWare.Win32.Softomate.u

Sory, tak nas szybko

Myszak · 30 Październik 2006 15:01

Użyj programu Killbox. Uruchamiasz zaznaczasz Delete on reboot, w polu full path of file wklej ścieżkę :

E:\Downloads\vccodec.589.exe

Klikasz X i reset kompa.

Pliki są w kwarantannie. W tym przypadku nie są groźne.

Kicior · 30 Październik 2006 16:18

To coś wyrnąłem

Ten Killbox to jest program do usuwania plików i procesów?..

Jednak ten proces jest cały czas

Jeszcze proszę o trochę pomocy…

Bieniol · 30 Październik 2006 16:34

Tak

Zrób skan EWIDO po update

Przeskanuj komputer programami Ad-aware SE Personal 1.06 oraz Spybot Search & Destroy 1.4

Wrzuć jeszcze log z l2mfix (wybierasz opcje 1)

Myszak · 30 Październik 2006 16:51

Start --> uruchom --> cmd i wpisz :

i sprawdź czy masz w folderze C:\WINDOWS\System32 plik WDFMRG.exe - bo w logach tego nie widać.

Kicior · 30 Październik 2006 17:22

O, ■■■■… :oops: - ten proces nazywa się WDFM G R, czyli proces WMP 10… :oops:

Przepraszam was, sory, sory, sory… :oops:

L2MFIX find log 032106

Bieniol · 30 Październik 2006 17:35

Czysto