Możliwy wirus w tle

Smercz · 4 Grudzień 2007 19:52

Ostatnio mój system się zmula w pracy i obciażenie cpu skacze w zakładce menadżera zadań->wydajność, mimo że w zakładce procesy system bezczynnościowy ma 99%…

"Silent Runners.vbs", revision 53, http://www.silentrunners.org/ 

Operating System: Windows XP SP2 

Output limited to non-default values, except where indicated by "{++}" 



Startup items buried in registry: 

--------------------------------- 


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} 

"Gadu-Gadu" = ""D:\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."] 

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] 


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} 

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS] 

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] 

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS] 

"avgnt" = ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"] 

"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" 

"SiSUSBRG" = "C:\WINDOWS\SiSUSBrg.exe" ["Silicon Integrated Systems Corp."] 

"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS] 

"PCSuiteTrayApplication" = "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup" ["Nokia"] 


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ 

{85F685C3-20D9-4943-95E4-EB4224056C3F}\(Default) = (no title provided) 

-> {HKLM...CLSID} = "Expressivo" 

\InProcServer32\(Default) = "C:\Program Files\ivo\Expressivo\IH_iexplore.dll" ["IVO Software Sp. z o.o."] 


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ 

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" 

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" 

\InProcServer32\(Default) = "deskpan.dll" [file not found] 

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" 

-> {HKLM...CLSID} = "HyperTerminal Icon Ext" 

\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] 

"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "&Do osób..." 

-> {HKLM...CLSID} = "&Do osób..." 

\InProcServer32\(Default) = "C:\Program Files\Outlook Express\wabfind.dll" [file not found] 

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" 

-> {HKLM...CLSID} = "DesktopContext Class" 

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"] 

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" 

-> {HKLM...CLSID} = "NVIDIA CPL Extension" 

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"] 

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" 

-> {HKLM...CLSID} = "Desktop Explorer" 

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] 

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" 

-> {HKLM...CLSID} = (no title provided) 

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] 

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" 

-> {HKLM...CLSID} = "nView Desktop Context Menu" 

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] 

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" 

-> {HKLM...CLSID} = "WinRAR" 

\InProcServer32\(Default) = "e:\WinRAR\rarext.dll" [null data] 

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" 

-> {HKLM...CLSID} = "Portable Media Devices Menu" 

\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] 

"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "Nokia Phone Browser" 

-> {HKLM...CLSID} = "Nokia Phone Browser" 

\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"] 

"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning" 

-> {HKLM...CLSID} = "Shell Extension for Malware scanning" 

\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] 

"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension" 

-> {HKLM...CLSID} = "UnlockerShellExtension" 

\InProcServer32\(Default) = "e:\Unlocker\UnlockerCOM.dll" [null data] 

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" 

-> {HKLM...CLSID} = (no title provided) 

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS] 


HKLM\Software\Classes\PROTOCOLS\Filter\ 

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" 

-> {HKLM...CLSID} = (no title provided) 

\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] 


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ 

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" 

-> {HKLM...CLSID} = "Shell Extension for Malware scanning" 

\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] 

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" 

-> {HKLM...CLSID} = "WinRAR" 

\InProcServer32\(Default) = "e:\WinRAR\rarext.dll" [null data] 


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" 

-> {HKLM...CLSID} = "WinRAR" 

\InProcServer32\(Default) = "e:\WinRAR\rarext.dll" [null data] 


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ 

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" 

-> {HKLM...CLSID} = "Shell Extension for Malware scanning" 

\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] 

UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" 

-> {HKLM...CLSID} = "UnlockerShellExtension" 

\InProcServer32\(Default) = "e:\Unlocker\UnlockerCOM.dll" [null data] 

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" 

-> {HKLM...CLSID} = "WinRAR" 

\InProcServer32\(Default) = "e:\WinRAR\rarext.dll" [null data] 


HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ 

UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" 

-> {HKLM...CLSID} = "UnlockerShellExtension" 

\InProcServer32\(Default) = "e:\Unlocker\UnlockerCOM.dll" [null data] 



Group Policies {GPedit.msc branch and setting}: 

----------------------------------------------- 


Note: detected settings may not have any effect. 


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ 


"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| 

Shutdown: Allow system to be shut down without having to log on} 


"undockwithoutlogon" = (REG_DWORD) dword:0x00000001 

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| 

Devices: Allow undock without having to log on} 



Active Desktop and Wallpaper: 

----------------------------- 


Active Desktop may be disabled at this entry: 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState 


Displayed if Active Desktop enabled and wallpaper not set by Group Policy: 

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ 

"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp" 


Displayed if Active Desktop disabled and wallpaper not set by Group Policy: 

HKCU\Control Panel\Desktop\ 

"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp" 



Enabled Screen Saver: 

--------------------- 


HKCU\Control Panel\Desktop\ 

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS] 



Winsock2 Service Provider DLLs: 

------------------------------- 


Namespace Service Providers 


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 


Transport Service Providers 


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: 

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 16 

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 



Toolbars, Explorer Bars, Extensions: 

------------------------------------ 


Toolbars 


HKLM\Software\Microsoft\Internet Explorer\Toolbar\ 

"{85F685C3-20D9-4943-95E4-EB4224056C3F}" = "Expressivo" 

-> {HKLM...CLSID} = "Expressivo" 

\InProcServer32\(Default) = "C:\Program Files\ivo\Expressivo\IH_iexplore.dll" ["IVO Software Sp. z o.o."] 


Explorer Bars 


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ 


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research" 

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] 

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS] 


Extensions (Tools menu items, main toolbar menu buttons) 


HKLM\Software\Microsoft\Internet Explorer\Extensions\ 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\ 

"ButtonText" = "Research" 



Running Services (Display Name, Service Name, Path {Service DLL}): 

------------------------------------------------------------------ 


AntiVir PersonalEdition Classic Guard, AntiVirService, ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"] 

AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"] 

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"] 

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] 



Print Monitors: 

--------------- 


HKLM\System\CurrentControlSet\Control\Print\Monitors\ 

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] 

SUGS2 Langmon\Driver = "SUGS2LMK.DLL" ["Samsung Electronics."] 



---------- (launch time: 2007-12-04 19:52:56) 

<>: Suspicious data at a malware launch point. 


+ This report excludes default entries except where indicated. 

+ To see *everywhere* the script checks and *everything* it finds, 

launch it from a command prompt or a shortcut with the -all parameter. 

+ To search all directories of local fixed drives for DESKTOP.INI 

DLL launch points, use the -supp parameter or answer "No" at the 

first message box and "Yes" at the second message box. 

---------- (total run time: 65 seconds, including 4 seconds for message boxes)

Log z hijacka: 

Logfile of HijackThis v1.99.1 

Scan saved at 20:06:37, on 2007-12-04 

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) 

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) 


Running processes: 

C:\WINDOWS\System32\smss.exe 

C:\WINDOWS\system32\winlogon.exe 

C:\WINDOWS\system32\services.exe 

C:\WINDOWS\system32\lsass.exe 

C:\WINDOWS\system32\svchost.exe 

C:\WINDOWS\System32\svchost.exe 

C:\WINDOWS\Explorer.EXE 

C:\WINDOWS\system32\spoolsv.exe 

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe 

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe 

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe 

C:\WINDOWS\System32\nvsvc32.exe 

C:\WINDOWS\system32\wuauclt.exe 

D:\Opera\Opera.exe 

C:\WINDOWS\system32\ctfmon.exe 

C:\WINDOWS\System32\svchost.exe 

E:\HijackThis.exe 


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.imesh.com/pl/ 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza 

O2 - BHO: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo\IH_iexplore.dll 

O3 - Toolbar: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo\IH_iexplore.dll 

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup 

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install 

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit 

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min 

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k 

O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe 

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd 

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup 

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Gadu-Gadu\gg.exe" /tray 

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe 

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL 

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe 

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe 

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe 

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe 

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe 

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) 

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe