Podejrzenie-hijackthis.de pokazje niebezpieczne wpisy

mr_mietus · 11 Listopad 2007 15:27

Witam!

Myślę, że może mam jakiegoś syfa na komputerze. Czasem wyłączają i zawieszają się programy. Na http://www.hijack.de znalazłem kilka wpisów niebezpiecznych. Komputer uruchamia się normalnie, choć trochę wolniej, ale to z innej przyczyny.

Proszę o sprawdzenie logów.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:16:57, on 2007-11-11 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\oodag.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\system32\Fmctrl.EXE C:\WINDOWS\system32\LXSUPMON.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AutoConnect\AutoConnect.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [systemTray] SysTray.Exe O4 - HKLM…\Run: [FmctrlTray] Fmctrl.EXE O4 - HKLM…\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra ‘Tools’ menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar … /cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_35.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apache2 - Unknown owner - C:\Apache2.2\bin\httpd.exe (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe – End of file - 6981 bytes

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “AutoConnect” = “C:\Program Files\AutoConnect\AutoConnect.exe” [“http://autoconnect.prv.pl”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” [“Eset “] “SystemTray” = “SysTray.Exe” [MS] “FmctrlTray” = “Fmctrl.EXE” [“ForteMedia, Inc.”] “LXSUPMON” = “C:\WINDOWS\system32\LXSUPMON.EXE RUN” [“Lexmark”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = “Spybot-S&D IE Protection” \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{8BE13461-936F-11D1-A87D-444553540000}” = “Eraser Shell Extension” -> {HKLM…CLSID} = “Eraser Shell Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\erasext.dll” [”-”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{B089FE88-FB52-11d3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [“Eset “] “{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}” = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search” -> {HKLM…CLSID} = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office12\msohevi.dll” [MS] “{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler” -> {HKLM…CLSID} = “Microsoft Office Metadata Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] “{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler” -> {HKLM…CLSID} = “Microsoft Office Thumbnail Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <> “AppInit_DLLs” = “C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL” [“Google”] HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“OODBS” [“O&O Software GmbH”]|“lsdelete” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807563E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = “Microsoft Office InfoPath XML Mime Filter” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Erasext(Default) = “{8BE13461-936F-11D1-A87D-444553540000}” -> {HKLM…CLSID} = “Eraser Shell Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\erasext.dll” [”-”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [“Eset “] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Erasext(Default) = “{8BE13461-936F-11D1-A87D-444553540000}” -> {HKLM…CLSID} = “Eraser Shell Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\erasext.dll” [”-”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Krzysiek\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp” Startup items in “Krzysiek” & “All Users” startup folders: ---------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: imon.dll ["Eset "], 01 - 05, 21 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 20 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Poszukaj” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {2670000A-7350-4F3C-8081-5663EE0C6C49}\ “ButtonText” = “Wyślij do programu OneNote” “MenuText” = “Wyślij &do programu OneNote” “CLSIDExtension” = “{48E73304-E1D6-4330-914C-F5F514E3486C}” -> {HKLM…CLSID} = “Send to OneNote from Internet Explorer button” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll” [MS] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Research” {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ “MenuText” = “Spybot - Search & Destroy Configuration” “CLSIDExtension” = “{53707962-6F74-2D53-2644-206D7942484F}” -> {HKLM…CLSID} = “Spybot-S&D IE Protection” \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ “MenuText” = “@xpsp3res.dll,-20001” “Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ad-Aware 2007 Service, aawservice, ““C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe”” [“Lavasoft AB”] Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] Canon Camera Access Library 8, CCALib8, “C:\Program Files\Canon\CAL\CALMAIN.exe” [“Canon Inc.”] Cyberlink RichVideo Service(CRVS), RichVideo, ““C:\Program Files\CyberLink\Shared Files\RichVideo.exe”” [empty string] LexBce Server, LexBceS, “C:\WINDOWS\system32\LEXBCES.EXE” [“Lexmark International, Inc.”] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] O&O Defrag, O&O Defrag, “C:\WINDOWS\System32\oodag.exe” [“O&O Software GmbH”] Sunbelt Personal Firewall 4, SPF4, “C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe” [“Sunbelt Software”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Lexmark Network Port\Driver = “LEXLMPM.DLL” [“Lexmark International, Inc.”] Send To Microsoft OneNote Monitor\Driver = “msonpmon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 34 seconds. ---------- (total run time: 203 seconds)

ComboFix 07-11-08.1 - Krzysiek 2007-11-11 16:05:00.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.298 [GMT 1:00] Running from: C:\Documents and Settings\Krzysiek\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 ))))))))))))))))))))))))))))))) . 2007-11-07 22:27 2007-11-07 22:25 2007-11-04 14:58 2007-11-04 14:26 2007-11-03 18:49 2007-11-01 20:10 2007-10-27 22:50 271,224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-10-27 22:50 207,736 --a------ C:\WINDOWS\system32\muweb.dll 2007-10-27 21:19 2007-10-23 19:27 2007-10-23 19:26 2007-10-23 19:09 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll 2007-10-23 19:09 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2007-10-23 19:09 15,104 --a–c— C:\WINDOWS\system32\dllcache\usbscan.sys 2007-10-23 19:09 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll 2007-10-22 20:40 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll 2007-10-22 20:38 2007-10-22 20:35 2007-10-22 20:31 2007-10-22 20:29 2007-10-22 20:27 2007-10-13 23:03 2007-10-12 21:39 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-11 15:02 --------- d-----w C:\Program Files\PEERGuardian2 2007-11-11 14:27 --------- d-----w C:\Program Files\eMule 2007-11-11 14:18 --------- d-----w C:\Documents and Settings\Krzysiek\Dane aplikacji\Skype 2007-11-11 08:44 --------- d-----w C:\Program Files\AutoConnect 2007-11-07 21:28 --------- d-----w C:\Program Files\Lavasoft 2007-11-07 21:28 --------- d-----w C:\Documents and Settings\Krzysiek\Dane aplikacji\Lavasoft 2007-10-31 16:22 --------- d-----w C:\Program Files\Neostrada TP 2007-10-27 13:59 --------- d-----w C:\Program Files\Odkurzacz 2007-10-27 13:59 --------- d-----w C:\Documents and Settings\Krzysiek\Dane aplikacji\uTorrent 2007-10-24 12:48 --------- d-----w C:\Program Files\Mozilla Thunderbird 2007-10-11 19:19 25,992 ----a-w C:\WINDOWS\system32\pgdfgsvc.exe 2007-10-11 19:03 --------- d-----w C:\Program Files\CyberLink 2007-10-09 18:38 --------- d-----w C:\Documents and Settings\Krzysiek\Dane aplikacji\GanymedeNet 2007-10-09 18:08 --------- d-----w C:\Program Files\Ganymede 2007-10-05 14:59 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-05 06:07 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2007-10-05 06:04 --------- d-----w C:\Program Files\Trend Micro 2007-09-26 19:30 --------- d-----w C:\Program Files\Common Files\Adobe 2007-09-26 18:29 11,544 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err 2007-09-25 14:46 --------- d-----w C:\Program Files\Google 2007-09-23 08:36 --------- d-----w C:\Documents and Settings\Krzysiek\Dane aplikacji\DivX 2007-09-23 08:26 --------- d-----w C:\Program Files\Xvid 2007-09-23 08:24 --------- d-----w C:\Program Files\DivX 2007-09-22 19:53 --------- d-----w C:\Program Files\Ambient Design Ltd 2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll 2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll 2007-09-17 18:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll 2007-09-17 18:22 739,840 ----a-w C:\WINDOWS\system32\DivX.dll 2007-09-15 20:06 --------- d-----w C:\Program Files\Sophos 2007-09-15 19:50 --------- d-----w C:\Program Files\Gadu-Gadu 2007-09-14 14:44 --------- d-----w C:\Program Files\Microsoft Bootvis 2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2007-08-22 02:09 352,256 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll 2007-08-22 02:07 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll 2007-08-22 02:07 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll 2007-08-22 01:59 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe 2007-08-22 01:59 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll 2007-08-22 01:58 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll 2007-08-22 01:58 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll 2007-08-22 01:57 487,424 ----a-w C:\WINDOWS\system32\ati2evxx.exe 2007-08-22 01:56 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL 2007-08-22 01:48 8,306,688 ----a-w C:\WINDOWS\system32\atioglx2.dll 2007-08-22 01:47 3,091,392 ----a-w C:\WINDOWS\system32\ati3duag.dll 2007-08-22 01:35 1,586,816 ----a-w C:\WINDOWS\system32\ativvaxx.dll 2007-08-22 01:21 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll 2007-08-22 01:19 266,240 ----a-w C:\WINDOWS\system32\atikvmag.dll 2007-08-22 01:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll 2007-08-22 01:15 172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll 2007-08-22 01:11 450,560 ----a-w C:\WINDOWS\system32\ati2cqag.dll 2007-08-21 19:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe 2007-08-21 06:18 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-08-21 00:26 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll 2007-08-21 00:26 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll 2007-08-15 22:33 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2007-08-15 22:33 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2007-08-15 22:33 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-08-15 22:33 129,784 ------w C:\WINDOWS\system32\pxafs.dll 2007-08-15 22:33 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe 2007-08-15 22:33 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe 2007-08-15 22:33 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-08-15 22:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll 2007-08-15 22:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll 2007-08-15 22:31 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll 2007-08-15 22:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll 2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll 2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll 2007-08-15 22:30 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-08-25 11:52] “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 17:07] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 17:07] “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [2003-10-16 17:07] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-06-15 16:56] “SystemTray”=“SysTray.Exe” [2001-10-30 13:00 C:\WINDOWS\system32\systray.exe] “FmctrlTray”=“Fmctrl.EXE” [2001-08-20 20:47 C:\WINDOWS\system32\fmctrl.exe] “LXSUPMON”=“C:\WINDOWS\system32\LXSUPMON.exe” [2001-10-09 17:10] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:44] “AutoConnect”=“C:\Program Files\AutoConnect\AutoConnect.exe” [2004-08-28 19:27] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26] DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-06-15 15:49:52] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “AppInit_DLLs”=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Monitor Apache Servers.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Monitor Apache Servers.lnk backup=C:\WINDOWS\pss\Monitor Apache Servers.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser] C:\Program Files\Eraser\eraser.exe -hide [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut] “C:\Program Files\CyberLink\PowerDVD\Language\Language.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] “SpybotSD TeaTimer”=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] “Google Desktop Search”=“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys R2 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys R2 SPF4;Sunbelt Personal Firewall 4;C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe R3 gameport;FM801 PCI Joystick;C:\WINDOWS\system32\DRIVERS\fmjoy.sys R3 wdm_fm801;FM801 PCI Audio (WDM);C:\WINDOWS\system32\drivers\fm801.sys S3 MEMSWEEP2;MEMSWEEP2;??\C:\WINDOWS\system32\25B.tmp S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-11 16:09:55 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-11 16:12:34 . — E O F —

Pozdrawiam!

Gutek · 11 Listopad 2007 17:49

Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ

Pozdrawiam Gutek2222

Optymalizacja XP: http://forum.dobreprogramy.pl/viewtopic.php?t=76580