Nierówna walka z trojan.vundo - proszę o pomoc


(Kbogucki) #1

Witam,

Proszę o pomoc - walczę prawdopodobnie z trojanem vundo ale bez powodzenia :frowning:

Poniżej zamieszczam log z Hijack:

"Logfile of HijackThis v1.99.1

Scan saved at 00:14:45, on 2007-04-04

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\ASUSKBService.exe

C:\WINDOWS\ATKKBService.exe

C:\WINDOWS\System32\cisvc.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\mksauth.exe

C:\lotus\notes\ntmulti.exe

C:\WINDOWS\system32\netdde.exe

C:\WINDOWS\system32\nutsrv4.exe

C:\ASCENT~1\QUALIT~1\USERTO~1\mks\mksnt\rshd.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\telnetd.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\ATK0100\HControl.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe

C:\WINDOWS\ATK0100\ATKOSD.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\sm56hlpr.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Wireless Console 2\wcourier.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\sistray.exe

C:\install\ProcessExplorer\procexp.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Documents and Settings\KRBO\Pulpit\trojan\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.winuel.com.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.winuel.com.pl

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.2.0.10:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.winuel.com.pl;10.0.*;10.100.*

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll

O4 - HKLM\..\Run: [Skrót do strony właściwości High Definition Audio] HDAShCut.exe

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Startup: Procexp.lnk = C:\install\ProcessExplorer\procexp.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.winuel.com.pl

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120196866533

O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://wn.winuel.com.pl/dwa7W.cab

O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\QUESTS~1\TOAD\RNetPin.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ASUS Keyboard Service (ASUSKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ASUSKBService.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MGXPgmInit - Unknown owner - C:\Ascential\ProfileStage\AnalysisServer\AppToService.exe" /sys "C:\Ascential\ProfileStage\AnalysisServer\MGXPgmInit.exe" /Name:"MGXPgmInit" /Startup:M /Show:2 /Arguments:"\"C:\Ascential\ProfileStage\AnalysisServer\MGXPgmInit.ini\" (file missing)

O23 - Service: MGXSwitch - Unknown owner - C:\Ascential\ProfileStage\MessageSwitch\AppToService.exe" /sys "C:\Ascential\ProfileStage\MessageSwitch\MGXSwitch.exe" /Name:"MGXSwitch" /Startup:M /Show:2 /Arguments:"\"C:\Ascential\ProfileStage\MessageSwitch\MGXSwitch.ini\"" /Directory:" (file missing)

O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe

O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe

O23 - Service: QualityStage Engine Service (QSEngine) - Unknown owner - C:\Ascential\QualityStageServer75\qsservsrv.exe

O23 - Service: QualityStage Realtime Manager Service (QSRTManager) - Unknown owner - C:\Ascential\QualityStageServer75\qsrtmngrsrv.exe

O23 - Service: REXECD - Mortice Kern Systems Inc. - C:\ASCENT~1\QUALIT~1\USERTO~1\mks\mksnt\rexecd.exe

O23 - Service: RSHD - Mortice Kern Systems Inc. - C:\ASCENT~1\QUALIT~1\USERTO~1\mks\mksnt\rshd.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe

O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe

O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe

O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe"

oraz z Silent Runners:

""Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Skrót do strony właściwości High Definition Audio" = "HDAShCut.exe" ["Windows (R) Server 2003 DDK provider"]

"VTTimer" = "VTTimer.exe" ["S3 Graphics, Inc."]

"VTTrayp" = "VTtrayp.exe" ["S3 Graphics Co., Ltd."]

"HControl" = "C:\WINDOWS\ATK0100\HControl.exe" [empty string]

"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]

"Power_Gear" = "C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1" ["ASUSTeK Computer Inc."]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"SMSERIAL" = "sm56hlpr.exe" ["Motorola Inc."]

"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" ["Sun Microsystems, Inc."]

"igfxtray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]

"igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]

"igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]

"Wireless Console 2" = "C:\Program Files\Wireless Console 2\wcourier.exe" [null data]

"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]

"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]

"JobHisInit" = "C:\Program Files\RMClient\JobHisInit.exe" [empty string]

"MplSetUp" = "C:\Program Files\RMClient\MplSetUp.exe" ["RICOH CO.,LTD."]

"Synchronization Manager" = "C:\WINDOWS\system32\mobsync.exe /logon"

"SpybotSnD" = ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose" ["Safer Networking Limited"]

"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{1976BB54-4CE4-4DB9-9BBD-48445BB6DB77}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nnnlj.dll" [file not found]

{4DCB4FA4-75DE-4E9B-A039-E181EE4EAC24}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\fcyxu.dll" [file not found]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

{57E218E6-5A80-4f0c-AB25-83598F25D7E9}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\jfdtworf.dll" [null data]

{72E2D623-D7AC-41E2-BA1D-B0B72380CC50}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ddawt.dll" [null data]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

{977BE5B2-614C-4D42-BB11-E25DD90B9EBc}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\cmnawnjo.dll" [null data]

{BBE59AF5-EE22-4A3A-AB26-3F774D1B4216}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\PROGRA~1\FOLDER~1\FOLDER~1.DLL" [null data]

{C451C08A-EC37-45DF-AAAD-18B51AB5E837}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "PDFCreator Toolbar Helper"

                   \InProcServer32\(Default) = "C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll" [null data]

{CD786B5A-BFD9-4ECF-BDAF-7A2A30579745}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ssqpp.dll" [file not found]

{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\opnnoop.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"

  -> {HKLM...CLSID} = "7-Zip Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"

  -> {HKLM...CLSID} = "VpshellEx Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{30351348-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

"{30351347-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

"{3035134A-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

"{3035134C-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

"{30351346-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

"{30351349-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

"{3035134B-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

"{3035134D-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

"{3035134E-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

"{88BFE743-E4A3-4656-B023-DB95C56837E2}" = "Secure FTP Connections"

  -> {HKLM...CLSID} = "Secure FTP Connections"

                   \InProcServer32\(Default) = "C:\ASCENT~1\QUALIT~1\USERTO~1\mks\bin\sshview.dll" ["DataFocus, Inc."]

"{C5098102-EAF2-493A-883A-B7B751B21534}" = "FolderBox Shell Extensions"

  -> {HKLM...CLSID} = "FolderBox Shell Extensions"

                   \InProcServer32\(Default) = "C:\Program Files\FolderBox\FolderBoxShell.dll" [null data]

"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"

  -> {HKLM...CLSID} = "ImageExtractorShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]

"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"

  -> {HKLM...CLSID} = "CInfoTipShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<> "{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}" = "*g" (unwritable string)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\opnnoop.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

  -> {HKLM...CLSID} = "WPDShServiceObj Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> ddawt\DLLName = "C:\WINDOWS\system32\ddawt.dll" [null data]

<> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]

<> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

<> opnnoop\DLLName = "opnnoop.dll" [null data]

<> vtuttut\DLLName = "vtuttut.dll" [file not found]

<> xxyabyw\DLLName = "xxyabyw.dll" [null data]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

<> taskmgr.exe\Debugger = ""C:\INSTALL\PROCESSEXPLORER\PROCEXP.EXE"" ["Sysinternals"]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{30351349-7B7D-4FCC-81B4-1E394CA267EB}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"

  -> {HKLM...CLSID} = "7-Zip Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

  -> {HKLM...CLSID} = "VpshellEx Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"

  -> {HKLM...CLSID} = "7-Zip Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

{C5098102-EAF2-493A-883A-B7B751B21534}\(Default) = "{C5098102-EAF2-493A-883A-B7B751B21534}"

  -> {HKLM...CLSID} = "FolderBox Shell Extensions"

                   \InProcServer32\(Default) = "C:\Program Files\FolderBox\FolderBoxShell.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"

  -> {HKLM...CLSID} = "7-Zip Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

FineReader8\(Default) = "{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}"

  -> {HKLM...CLSID} = "FineReader8ExplorerContextMenuHandler"

                   \InProcServer32\(Default) = "C:\Program Files\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll" ["ABBYY Software"]

LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

  -> {HKLM...CLSID} = "VpshellEx Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

{C5098102-EAF2-493A-883A-B7B751B21534}\(Default) = "{C5098102-EAF2-493A-883A-B7B751B21534}"

  -> {HKLM...CLSID} = "FolderBox Shell Extensions"

                   \InProcServer32\(Default) = "C:\Program Files\FolderBox\FolderBoxShell.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\PROGRA~1\Picasa2\Picasa2.scr" ["Google Inc."]



Startup items in "KRBO" & "All Users" startup folders:

------------------------------------------------------


C:\Documents and Settings\KRBO\Menu Start\Programy\Autostart

"Procexp" -> shortcut to: "C:\install\ProcessExplorer\procexp.exe" ["Sysinternals"]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Utility Tray" -> shortcut to: "C:\WINDOWS\system32\sistray.exe" ["Silicon Integrated Systems Corporation"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06, 09 - 52

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

%SystemRoot%\system32\nutafun4.dll ["DataFocus, Inc."], 07 - 08



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}"

  -> {HKLM...CLSID} = "PDFCreator Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll" [null data]


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}"

  -> {HKLM...CLSID} = "PDFCreator Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll" [null data]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}" = "PDFCreator Toolbar"

  -> {HKLM...CLSID} = "PDFCreator Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll" [null data]


Explorer Bars


HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\

{3F5A62E2-51F2-11D3-A075-CC7364CAE42B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "&Folder Box"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FOLDER~1\FOLDER~1.DLL" [null data]


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Internet Explorer Address Prefixes:

-----------------------------------


Prefix for specific service (i.e., "www")


HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\

<> "sftp://" = "sftp"



Miscellaneous IE Hijack Points

------------------------------


C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")


Added lines (compared with English-language version):

[Strings]: START_PAGE_URL=http://www.winuel.com.pl


Missing lines (compared with English-language version):

[Strings]: 1 line



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


ASUS Keyboard Service, ASUSKeyboardService, "C:\WINDOWS\ASUSKBService.exe" ["ASUSTeK COMPUTER INC."]

ATK Keyboard Service, ATKKeyboardService, "C:\WINDOWS\ATKKBService.exe" ["ASUSTeK COMPUTER INC."]

LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]

MKS Telnetd, MKSTelnetd, "C:\WINDOWS\system32\telnetd.exe" ["DataFocus, Inc."]

MKSAUTH, MKSAUTH, "C:\WINDOWS\system32\mksauth.exe" ["Mortice Kern Systems Inc."]

Multi-user Cleanup Service, Multi-user Cleanup Service, "C:\lotus\notes\ntmulti.exe" ["IBM Corp"]

NuTCRACKER Service, NuTCRACKERService, "C:\WINDOWS\system32\nutsrv4.exe" ["DataFocus, Inc."]

RSHD, RSHD, "C:\ASCENT~1\QUALIT~1\USERTO~1\mks\mksnt\rshd.exe" ["Mortice Kern Systems Inc."]

SAVRoam, SavRoam, ""C:\Program Files\Symantec AntiVirus\SavRoam.exe"" ["symantec"]

Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]

Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]

Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]

Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]

Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]

Usługa udostępniania w sieci programu Windows Media Player, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\WMPNetwk.exe"" [MS]

Usługi Simple TCP/IP, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

NRG Language Monitor2\Driver = "rc4mon.dll" ["RICOH CO.,Ltd."]

PDFCreator\Driver = "pdfcmnnt.dll" [null data]

SmartNetMonitor\Driver = "RPNV2MON.DLL" ["RICOH"]

Toshiba Bluetooth Monitor\Driver = "tbtmon.dll" ["Toshiba America Business Solutions, Inc."]



----------

<>: Suspicious data at a malware launch point.

<>: Suspicious data at a browser hijack point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 139 seconds.

---------- (total run time: 208 seconds)"

(JNJN) #2

Proszę przeczytać tematy przyklejone w tym dziale i poprawić posta.JNJN


(Kbogucki) #3

Witam,

Przejrzałem logi z forum i dokonałem następujących działań w trybie awaryjnym:

VundoFix + FixVundo + VirtumundoBeGone + SmitFraudFix ( opcja 2) + SilentRunners+ ComboFix

log z vundofix.txt:

"VundoFix V4.2.22

Scan started at 12:21:05 2007-03-30


Listing files found while scanning....



C:\WINDOWS\system32\ppqss.bak1

C:\WINDOWS\system32\ppqss.bak2

C:\WINDOWS\system32\ppqss.tmp

C:\WINDOWS\system32\ppqss.ini

C:\WINDOWS\system32\ppqss.ini2

C:\WINDOWS\system32\ssqpp.dll

C:\WINDOWS\system32\ppqss.ini2

C:\WINDOWS\system32\ppqss.bak2

C:\WINDOWS\system32\ppqss.tmp

C:\WINDOWS\system32\ppqss.ini

C:\WINDOWS\system32\ppqss.ini2

C:\WINDOWS\system32\ssqpp.dll

 Attempting to delete C:\WINDOWS\system32\ppqss.bak1

C:\WINDOWS\system32\ppqss.bak1 Has been deleted!


 Attempting to delete C:\WINDOWS\system32\ppqss.bak2

C:\WINDOWS\system32\ppqss.bak2 Has been deleted!


 Attempting to delete C:\WINDOWS\system32\ppqss.tmp

C:\WINDOWS\system32\ppqss.tmp Has been deleted!


 Attempting to delete C:\WINDOWS\system32\ppqss.ini

C:\WINDOWS\system32\ppqss.ini Has been deleted!


 Attempting to delete C:\WINDOWS\system32\ppqss.ini2

C:\WINDOWS\system32\ppqss.ini2 Has been deleted!


 Attempting to delete C:\WINDOWS\system32\ssqpp.dll

C:\WINDOWS\system32\ssqpp.dll Has been deleted!


Performing Repairs to the registry.

Done!


VundoFix V4.2.22

Scan started at 12:33:48 2007-03-30


Listing files found while scanning....



No infected files were found.



VundoFix V4.2.22

Scan started at 14:51:58 2007-03-30


Listing files found while scanning....



C:\WINDOWS\system32\ihggh.bak1

C:\WINDOWS\system32\ihggh.ini

C:\WINDOWS\system32\jlnnn.bak1

C:\WINDOWS\system32\jlnnn.ini

C:\WINDOWS\system32\nnnlj.dll

 Attempting to delete C:\WINDOWS\system32\ihggh.bak1

C:\WINDOWS\system32\ihggh.bak1 Has been deleted!


 Attempting to delete C:\WINDOWS\system32\ihggh.ini

C:\WINDOWS\system32\ihggh.ini Has been deleted!


 Attempting to delete C:\WINDOWS\system32\jlnnn.bak1

C:\WINDOWS\system32\jlnnn.bak1 Has been deleted!


 Attempting to delete C:\WINDOWS\system32\jlnnn.ini

C:\WINDOWS\system32\jlnnn.ini Has been deleted!


 Attempting to delete C:\WINDOWS\system32\nnnlj.dll

C:\WINDOWS\system32\nnnlj.dll Could not be deleted.


Performing Repairs to the registry.

Done!


VundoFix V4.2.22

Scan started at 00:24:51 2007-04-02


Listing files found while scanning....



C:\WINDOWS\system32\jlnnn.bak1

C:\WINDOWS\system32\jlnnn.tmp

C:\WINDOWS\system32\jlnnn.ini

C:\WINDOWS\system32\jlnnn.ini2

C:\WINDOWS\system32\nnnlj.dll

C:\WINDOWS\system32\jlnnn.ini2

C:\WINDOWS\system32\jlnnn.tmp

C:\WINDOWS\system32\jlnnn.ini

C:\WINDOWS\system32\jlnnn.ini2

C:\WINDOWS\system32\nnnlj.dll

 Attempting to delete C:\WINDOWS\system32\jlnnn.bak1

C:\WINDOWS\system32\jlnnn.bak1 Has been deleted!


 Attempting to delete C:\WINDOWS\system32\jlnnn.tmp

C:\WINDOWS\system32\jlnnn.tmp Has been deleted!


 Attempting to delete C:\WINDOWS\system32\jlnnn.ini

C:\WINDOWS\system32\jlnnn.ini Has been deleted!


 Attempting to delete C:\WINDOWS\system32\jlnnn.ini2

C:\WINDOWS\system32\jlnnn.ini2 Has been deleted!


 Attempting to delete C:\WINDOWS\system32\nnnlj.dll

C:\WINDOWS\system32\nnnlj.dll Has been deleted!


Performing Repairs to the registry.

Done!


VundoFix V4.2.22

Scan started at 07:51:40 2007-04-02


Listing files found while scanning....



No infected files were found.



VundoFix V4.2.22

Scan started at 09:20:15 2007-04-02


Listing files found while scanning....



No infected files were found.



VundoFix V4.2.22

Scan started at 09:42:07 2007-04-02


Listing files found while scanning....



No infected files were found.



VundoFix V4.2.22

Scan started at 23:39:16 2007-04-03


Listing files found while scanning....



C:\WINDOWS\system32\uxycf.bak1

C:\WINDOWS\system32\uxycf.bak2

C:\WINDOWS\system32\uxycf.ini

C:\WINDOWS\system32\fcyxu.dll

 Attempting to delete C:\WINDOWS\system32\uxycf.bak1

C:\WINDOWS\system32\uxycf.bak1 Has been deleted!


 Attempting to delete C:\WINDOWS\system32\uxycf.bak2

C:\WINDOWS\system32\uxycf.bak2 Has been deleted!


 Attempting to delete C:\WINDOWS\system32\uxycf.ini

C:\WINDOWS\system32\uxycf.ini Has been deleted!


 Attempting to delete C:\WINDOWS\system32\fcyxu.dll

C:\WINDOWS\system32\fcyxu.dll Has been deleted!


Performing Repairs to the registry.

Done!


VundoFix V4.2.22

Scan started at 10:40:38 2007-04-04


Listing files found while scanning....



C:\WINDOWS\system32\twadd.bak1

C:\WINDOWS\system32\twadd.ini

C:\WINDOWS\system32\ddawt.dll

 Attempting to delete C:\WINDOWS\system32\twadd.bak1

C:\WINDOWS\system32\twadd.bak1 Has been deleted!


 Attempting to delete C:\WINDOWS\system32\twadd.ini

C:\WINDOWS\system32\twadd.ini Has been deleted!


 Attempting to delete C:\WINDOWS\system32\ddawt.dll

C:\WINDOWS\system32\ddawt.dll Has been deleted!


Performing Repairs to the registry.

Done!"


Log SilentRunner:

""Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Skrót do strony właściwości High Definition Audio" = "HDAShCut.exe" ["Windows (R) Server 2003 DDK provider"]

"VTTimer" = "VTTimer.exe" ["S3 Graphics, Inc."]

"VTTrayp" = "VTtrayp.exe" ["S3 Graphics Co., Ltd."]

"HControl" = "C:\WINDOWS\ATK0100\HControl.exe" [empty string]

"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]

"Power_Gear" = "C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1" ["ASUSTeK Computer Inc."]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"SMSERIAL" = "sm56hlpr.exe" ["Motorola Inc."]

"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" ["Sun Microsystems, Inc."]

"igfxtray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]

"igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]

"igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]

"Wireless Console 2" = "C:\Program Files\Wireless Console 2\wcourier.exe" [null data]

"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]

"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]

"JobHisInit" = "C:\Program Files\RMClient\JobHisInit.exe" [empty string]

"MplSetUp" = "C:\Program Files\RMClient\MplSetUp.exe" ["RICOH CO.,LTD."]

"Synchronization Manager" = "C:\WINDOWS\system32\mobsync.exe /logon"

"SpybotSnD" = ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose" ["Safer Networking Limited"]

"NuTCSetupEnviron" = "C:\ASCENT~1\QUALIT~1\USERTO~1\mks\bin\ncoeenv.exe" ["DataFocus, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{182B90A3-F372-438A-800C-6814B4DE417B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\xxyabyw.dll" [null data]

{1976BB54-4CE4-4DB9-9BBD-48445BB6DB77}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nnnlj.dll" [file not found]

{4DCB4FA4-75DE-4E9B-A039-E181EE4EAC24}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\fcyxu.dll" [file not found]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

{57E218E6-5A80-4f0c-AB25-83598F25D7E9}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\jfdtworf.dll" [null data]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

{977BE5B2-614C-4D42-BB11-E25DD90B9EBc}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\cmnawnjo.dll" [null data]

{AB8334E4-4060-4EFE-BA0B-C77C88763502}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ddawt.dll" [file not found]

{BBE59AF5-EE22-4A3A-AB26-3F774D1B4216}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\PROGRA~1\FOLDER~1\FOLDER~1.DLL" [null data]

{C451C08A-EC37-45DF-AAAD-18B51AB5E837}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "PDFCreator Toolbar Helper"

                   \InProcServer32\(Default) = "C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll" [null data]

{CD786B5A-BFD9-4ECF-BDAF-7A2A30579745}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ssqpp.dll" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"

  -> {HKLM...CLSID} = "7-Zip Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"

  -> {HKLM...CLSID} = "VpshellEx Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{30351348-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

"{30351347-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

"{3035134A-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

"{3035134C-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

"{30351346-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

"{30351349-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

"{3035134B-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

"{3035134D-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

"{3035134E-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

"{88BFE743-E4A3-4656-B023-DB95C56837E2}" = "Secure FTP Connections"

  -> {HKLM...CLSID} = "Secure FTP Connections"

                   \InProcServer32\(Default) = "C:\ASCENT~1\QUALIT~1\USERTO~1\mks\bin\sshview.dll" ["DataFocus, Inc."]

"{C5098102-EAF2-493A-883A-B7B751B21534}" = "FolderBox Shell Extensions"

  -> {HKLM...CLSID} = "FolderBox Shell Extensions"

                   \InProcServer32\(Default) = "C:\Program Files\FolderBox\FolderBoxShell.dll" [null data]

"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"

  -> {HKLM...CLSID} = "ImageExtractorShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]

"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"

  -> {HKLM...CLSID} = "CInfoTipShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<> "{182B90A3-F372-438A-800C-6814B4DE417B}" = "*g" (unwritable string)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\xxyabyw.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

  -> {HKLM...CLSID} = "WPDShServiceObj Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]

<> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

<> vtuttut\DLLName = "vtuttut.dll" [file not found]

<> xxyabyw\DLLName = "xxyabyw.dll" [null data]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

<> taskmgr.exe\Debugger = ""C:\INSTALL\PROCESSEXPLORER\PROCEXP.EXE"" ["Sysinternals"]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{30351349-7B7D-4FCC-81B4-1E394CA267EB}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"

  -> {HKLM...CLSID} = "7-Zip Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

  -> {HKLM...CLSID} = "VpshellEx Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"

  -> {HKLM...CLSID} = "7-Zip Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

{C5098102-EAF2-493A-883A-B7B751B21534}\(Default) = "{C5098102-EAF2-493A-883A-B7B751B21534}"

  -> {HKLM...CLSID} = "FolderBox Shell Extensions"

                   \InProcServer32\(Default) = "C:\Program Files\FolderBox\FolderBoxShell.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"

  -> {HKLM...CLSID} = "7-Zip Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

FineReader8\(Default) = "{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}"

  -> {HKLM...CLSID} = "FineReader8ExplorerContextMenuHandler"

                   \InProcServer32\(Default) = "C:\Program Files\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll" ["ABBYY Software"]

LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

  -> {HKLM...CLSID} = "VpshellEx Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"

  -> {HKLM...CLSID} = "TortoiseSVN"

                   \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

{C5098102-EAF2-493A-883A-B7B751B21534}\(Default) = "{C5098102-EAF2-493A-883A-B7B751B21534}"

  -> {HKLM...CLSID} = "FolderBox Shell Extensions"

                   \InProcServer32\(Default) = "C:\Program Files\FolderBox\FolderBoxShell.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\PROGRA~1\Picasa2\Picasa2.scr" ["Google Inc."]



Startup items in "KRBO" & "All Users" startup folders:

------------------------------------------------------


C:\Documents and Settings\KRBO\Menu Start\Programy\Autostart

"Procexp" -> shortcut to: "C:\install\ProcessExplorer\procexp.exe" ["Sysinternals"]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Utility Tray" -> shortcut to: "C:\WINDOWS\system32\sistray.exe" ["Silicon Integrated Systems Corporation"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06, 09 - 52

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

%SystemRoot%\system32\nutafun4.dll ["DataFocus, Inc."], 07 - 08



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}"

  -> {HKLM...CLSID} = "PDFCreator Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll" [null data]


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}"

  -> {HKLM...CLSID} = "PDFCreator Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll" [null data]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}" = "PDFCreator Toolbar"

  -> {HKLM...CLSID} = "PDFCreator Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll" [null data]


Explorer Bars


HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\

{3F5A62E2-51F2-11D3-A075-CC7364CAE42B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "&Folder Box"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FOLDER~1\FOLDER~1.DLL" [null data]


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Internet Explorer Address Prefixes:

-----------------------------------


Prefix for specific service (i.e., "www")


HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\

<> "sftp://" = "sftp"



Miscellaneous IE Hijack Points

------------------------------


C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")


Added lines (compared with English-language version):

[Strings]: START_PAGE_URL=http://www.winuel.com.pl


Missing lines (compared with English-language version):

[Strings]: 1 line



All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):

---------------------------------------------------------------------------


.NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [MS]

ASUS Keyboard Service, ASUSKeyboardService, "C:\WINDOWS\ASUSKBService.exe" ["ASUSTeK COMPUTER INC."]

ATK Keyboard Service, ATKKeyboardService, "C:\WINDOWS\ATKKBService.exe" ["ASUSTeK COMPUTER INC."]

Canon Camera Access Library 8, CCALib8, "C:\Program Files\Canon\CAL\CALMAIN.exe" ["Canon Inc."]

Google Updater Service, gusvc, ""C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]

InstallDriver Table Manager, IDriverT, ""C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe"" ["Macrovision Corporation"]

Karta wydajności WMI, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]

LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]

LiveUpdate, LiveUpdate, ""C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"" ["Symantec Corporation"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]

MGXPgmInit, MGXPgmInit, ""C:\Ascential\ProfileStage\AnalysisServer\AppToService.exe" /sys "C:\Ascential\ProfileStage\AnalysisServer\MGXPgmInit.exe" /Name:"MGXPgmInit" /Startup:M /Show:2 /Arguments:"\"C:\Ascential\ProfileStage\AnalysisServer\MGXPgmInit.ini\""" ["Basta Computing "]

MGXSwitch, MGXSwitch, ""C:\Ascential\ProfileStage\MessageSwitch\AppToService.exe" /sys "C:\Ascential\ProfileStage\MessageSwitch\MGXSwitch.exe" /Name:"MGXSwitch" /Startup:M /Show:2 /Arguments:"\"C:\Ascential\ProfileStage\MessageSwitch\MGXSwitch.ini\"" /Directory:""" ["Basta Computing "]

MKS Rlogind, MKSRlogind, "C:\ASCENT~1\QUALIT~1\USERTO~1\mks\bin\rlogind.exe" ["DataFocus, Inc."]

MKS Secure Shell Service, MKSSecureSH, "C:\ASCENT~1\QUALIT~1\USERTO~1\mks\bin\secshd.exe" ["DataFocus, Inc."]

MKS Telnetd, MKSTelnetd, "C:\WINDOWS\system32\telnetd.exe" ["DataFocus, Inc."]

MKSAUTH, MKSAUTH, "C:\WINDOWS\system32\mksauth.exe" ["Mortice Kern Systems Inc."]

MSSQLSERVER, MSSQLSERVER, "C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe" [MS]

MSSQLServerADHelper, MSSQLServerADHelper, "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe" [MS]

Multi-user Cleanup Service, Multi-user Cleanup Service, "C:\lotus\notes\ntmulti.exe" ["IBM Corp"]

NuTCRACKER Service, NuTCRACKERService, "C:\WINDOWS\system32\nutsrv4.exe" ["DataFocus, Inc."]

Office Source Engine, ose, ""C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"" [MS]

Portable Media Serial Number Service, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}

QualityStage Engine Service, QSEngine, "C:\Ascential\QualityStageServer75\qsservsrv.exe" [null data]

QualityStage Realtime Manager Service, QSRTManager, "C:\Ascential\QualityStageServer75\qsrtmngrsrv.exe" [null data]

REXECD, REXECD, "C:\ASCENT~1\QUALIT~1\USERTO~1\mks\mksnt\rexecd.exe" ["Mortice Kern Systems Inc."]

RSHD, RSHD, "C:\ASCENT~1\QUALIT~1\USERTO~1\mks\mksnt\rshd.exe" ["Mortice Kern Systems Inc."]

SAVRoam, SavRoam, ""C:\Program Files\Symantec AntiVirus\SavRoam.exe"" ["symantec"]

SQLSERVERAGENT, SQLSERVERAGENT, "C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlagent.exe" [MS]

Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]

Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]

Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]

Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]

Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]

Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]

Usługa administracyjna Menedżera dysków logicznych, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]

Usługa dostarczania sieci, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]}

Usługa udostępniania w sieci programu Windows Media Player, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\WMPNetwk.exe"" [MS]

Usługi Simple TCP/IP, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]

VMware Authorization Service, VMAuthdService, "C:\Program Files\VMware\VMware Player\vmware-authd.exe" ["VMware, Inc."]

VMware DHCP Service, VMnetDHCP, "C:\WINDOWS\system32\vmnetdhcp.exe" ["VMware, Inc."]

VMware NAT Service, VMware NAT Service, "C:\WINDOWS\system32\vmnat.exe" ["VMware, Inc."]

VMware Virtual Mount Manager Extended, vmount2, ""C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe"" ["VMware, Inc."]

Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}

„Usługa stanu ASP.NET, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

NRG Language Monitor2\Driver = "rc4mon.dll" ["RICOH CO.,Ltd."]

PDFCreator\Driver = "pdfcmnnt.dll" [null data]

SmartNetMonitor\Driver = "RPNV2MON.DLL" ["RICOH"]

Toshiba Bluetooth Monitor\Driver = "tbtmon.dll" ["Toshiba America Business Solutions, Inc."]



----------

<>: Suspicious data at a malware launch point.

<>: Suspicious data at a browser hijack point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 18 seconds.

---------- (total run time: 69 seconds)"

Log z ComboFix:

""KRBO" - 07-04-04 12:00:11 Dodatek Service Pack 2

ComboFix 07-04-04.5 - Running from: "C:\Documents and Settings\KRBO\Pulpit\trojan"



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



C:\install.log



((((((((((((((((((((((((((((((( Files Created from 2007-03-04 to 2007-04-04 ))))))))))))))))))))))))))))))))))



2007-04-04 11:54	3,734	--a------	C:\WINDOWS\system32\tmp.reg

2007-04-03 12:55	








Usnąłem pliki :

[code]2007-03-30 12:39 280,676 --ahs---- C:\WINDOWS\system32\hgghi.dll.vir 2007-03-30 09:29 26,730 --a------ C:\WINDOWS\system32\vtuttut.dll.vir 2007-03-30 09:12 132,116 --a------ C:\WINDOWS\system32\cmnawnjo.dll 2007-03-29 19:12 26,730 --a------ C:\WINDOWS\system32\opnnoop.dll.vir 2007-03-29 16:05 26,730 --a------ C:\WINDOWS\system32\jkkljhi.dll.vir

Widziałe w innych odpowiedziach że zalecany były modyfikacje w rejestrach.

Czy mam dokonać jeszcze jakiś działań ?

Po cały czyszczniu i podłączeniu sie do sieci miałem objaw wyskakujących dużej ilości okienek internet explorera...