Na świeży system po formacie złapałem od razu wirusa sassera/blastera tego co wyświetla okno, że system zamknie się za 30sec
Już się takie okno nie pojawia, ale chce się upewnić czy “all clear”
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:04:12, on 2007-08-12
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
D:\AutoConnect\AutoConnect.exe
D:\Mozilla Firefox\firefox.exe
D:\Gadu-Gadu\gg.exe
D:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [AutoConnect] D:\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\twain_32" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\eHome" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\config" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Cursors" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_05] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Connection Wizard" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_06] cmd.exe /c md "%SystemRoot%\Web\Wallpaper" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_07] cmd.exe /c md "C:\Documents and Settings\Default User\Dane aplikacji\Microsoft\Internet Explorer\Quick Launch" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_08] cmd.exe /c md "%AppData%\Microsoft\Internet Explorer\Quick Launch" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_09] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\Inetsrv" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_10] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\Npp" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_11] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\help" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_12] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\pchealth" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_13] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\ime" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_14] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\msagent" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_15] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\Oobe" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_16] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Srchasst" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_17] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Tasks" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_18] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Help\Tours" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_19] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\NtmsData" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_20] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\Icsxml" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_21] cmd.exe /c md "%USERPROFILE%\Ustawienia lokalne\Temp" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_22] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_23] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_24] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_25] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_26] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\twain_32" (User 'USŁUGA SIECIOWA')
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{8574B6C7-9C9D-40AE-AD49-7C1954D05EED}: NameServer = 213.241.79.37 83.238.255.76
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 4858 bytes
Silent
"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"AutoConnect" = "D:\AutoConnect\AutoConnect.exe" ["http://autoconnect.prv.pl"]
"Gadu-Gadu" = ""D:\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete"
-> {HKLM...CLSID} = "IE Microsoft AutoComplete"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitów"
-> {HKLM...CLSID} = "Eksplorator pulpitów"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]
Default executables:
--------------------
HKLM\Software\Classes\.hta\(Default) = (value not set)
HKLM\Software\Classes\htafile\shell\open\command\ = (key not found)
HKLM\Software\Classes\htafile\
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoInternetIcon" = (REG_DWORD) hex:0x00000001
{User Configuration|Administrative Templates|Desktop|
Hide Internet Explorer icon on desktop}
"NoSMHelp" = (REG_DWORD) hex:0x00000001
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove Help menu from Start Menu}
"NoInstrumentation" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"NoStartMenuMFUprogramsList" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"NoResolveTrack" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"LinkResolveIgnoreLinkInfo" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"NoResolveSearch" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"ClearRecentDocsOnExit" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"NoRecentDocsMenu" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"NoRecentDocsHistory" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"NoStartBanner" = (REG_DWORD) hex:0x00000001
{Remove "Click here to begin" from Start button}
"NoSMMyDocs" = (REG_DWORD) hex:0x00000001
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove Documents menu from Start Menu}
"NoSMMyPictures" = (REG_DWORD) hex:0x00000001
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove My Pictures icon from Start Menu}
"NoStartMenuPinnedList" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"NoSMConfigurePrograms" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoDesktopCleanupWizard" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"ForceClassicControlPanel" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
"DisableStatusMessages" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
"VerboseStatus" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Enabled Scheduled Tasks:
------------------------
WARNING! The "C:\WINDOWS\Tasks" directory cannot be found.
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
<> C:\WINDOWS\INF\IERESET.INF was not found!
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
BJ Language Monitor\Driver = "cnbjmon.dll" [file not found]
PJL Language Monitor\Driver = "pjlmon.dll" [file not found]
---------- (launch time: 2007-08-12 16:08:16)
<>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 13 seconds.
---------- (total run time: 137 seconds)