Poproszę o sprawdzenie logów


(Tykfa7) #1

Silent Runners

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Free Upload Manager" = ""C:\Program Files\Free Download Manager\fum\fum.exe" -autorun" [null data]

"Free Uploader Oe Integration" = "C:\Program Files\Free Download Manager\FUM\fumoei.exe" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"F-Secure Manager" = ""C:\Program Files\F-Secure\Common\FSM32.EXE" /splash" ["F-Secure Corporation"]

"F-Secure TNB" = ""C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW" ["F-Secure Corporation"]

"QuickTime Task" = ""C:\Program Files\Ringz Studio\Storm Codec\qttask.exe" -atboottime" ["Apple Inc."]

"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]

"UserFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -u"


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{3ADCBC16-19FA-4C59-9C22-E17C71B5FD7A}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "MSVPS System"

                   \InProcServer32\(Default) = "C:\WINDOWS\bndsrdkq.dll" [empty string]

{43BF8E0C-886D-4103-8DDB-2DFE0E8A0168}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Video Add-on\isfmdl.dll" [file not found]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

{CC59E0F9-7E43-44FA-9FAA-8377850BF205}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "FDMIECookiesBHO Class"

                   \InProcServer32\(Default) = "C:\Program Files\Free Download Manager\iefdm2.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}" = "Foldery w sieci Web"

  -> {HKCU...CLSID} = "Foldery w sieci Web"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKCU...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKCU...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "\\HOME\FILES$\OCHRONA\MOJEDO~1\WINZIP\WZSHLSTB.DLL" [**WMI GetObject error**]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "\\HOME\FILES$\OCHRONA\MOJEDO~1\WINZIP\WZSHLSTB.DLL" [**WMI GetObject error**]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "\\HOME\FILES$\OCHRONA\MOJEDO~1\WINZIP\WZSHLSTB.DLL" [**WMI GetObject error**]

"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "\\HOME\FILES$\OCHRONA\MOJEDO~1\WINZIP\WZSHLSTB.DLL" [**WMI GetObject error**]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "\\HOME\FILES$\OCHRONA\MOJEDO~1\WINZIP\WZSHLSTB.DLL" [**WMI GetObject error**]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "\\HOME\FILES$\OCHRONA\MOJEDO~1\WINZIP\WZSHLSTB.DLL" [**WMI GetObject error**]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "\\HOME\FILES$\OCHRONA\MOJEDO~1\WINZIP\WZSHLSTB.DLL" [**WMI GetObject error**]


HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

FdmUplShlExt\(Default) = "{F49C55B9-D417-45A1-A6E7-D6E057946280}"

  -> {HKLM...CLSID} = "FdmUplShlExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Free Download Manager\FUM\fumshext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"DisablePersonalDirChange" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\


"HomePage" = (REG_DWORD) hex:0x00000001

{User Configuration|Administrative Templates|Windows Components|Internet Explorer|

Disable changing home page settings}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "%APPDATA%\Microsoft\Internet Explorer\Tapeta programu Internet Explorer.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\ochrona\Dane aplikacji\Microsoft\Internet Explorer\Tapeta programu Internet Explorer.bmp"


Active Desktop web content (hidden if disabled):


HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\2\

"FriendlyName" = ""

"Source" = "https://poczta.skorpion-security.com.pl/images/skorpion.png"

"SubscribedURL" = "https://poczta.skorpion-security.com.pl/images/skorpion.png"


HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\3\

"FriendlyName" = ""

"Source" = "file:///C:/DOCUME~1/ochrona/USTAWI~1/Temp/msohtml1/01/clip_image001.png"

"SubscribedURL" = "file:///C:/DOCUME~1/ochrona/USTAWI~1/Temp/msohtml1/01/clip_image001.png"


HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\4\

"FriendlyName" = ""

"Source" = "file:///C:/DOCUME~1/ochrona/USTAWI~1/Temp/msohtml1/01/clip_image002.jpg"

"SubscribedURL" = "file:///C:/DOCUME~1/ochrona/USTAWI~1/Temp/msohtml1/01/clip_image002.jpg"


HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\5\

"FriendlyName" = ""

"Source" = "file:///C:/DOCUME~1/ochrona/USTAWI~1/Temp/msohtml1/01/clip_image001.jpg"

"SubscribedURL" = "file:///C:/DOCUME~1/ochrona/USTAWI~1/Temp/msohtml1/01/clip_image001.jpg"



Startup items in "ochrona" & "All Users" startup folders:

---------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"F-Secure Automatic Update" -> shortcut to: "C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe -startup" ["F-Secure Automatic Update"]



Enabled Scheduled Tasks:

------------------------


"AppleSoftwareUpdate.job" -- insufficient permission to read this file!

"RegClean Scheduled Scan" -> launches: "C:\Program Files\RegClean\RegClean.exe scheduled" [file not found]


"Scheduled scanning task.job" -- insufficient permission to read this file!



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{4D5C8C2A-D075-11D0-B416-00C04FB90376}"

  -> {HKLM...CLSID} = "Pasek poleceń Microsoft"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}"

  -> {HKLM...CLSID} = "IE Custom Tools"

                   \InProcServer32\(Default) = "C:\Program Files\Video Add-on\ictmdl.dll" [file not found]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{ABF529BE-6245-465A-BBD4-238C4EAB0F0A}" = (no title provided)

  -> {HKLM...CLSID} = "The netadv"

                   \InProcServer32\(Default) = "C:\WINDOWS\netadv.dll" [null data]

"{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}" = (no title provided)

  -> {HKLM...CLSID} = "IE Custom Tools"

                   \InProcServer32\(Default) = "C:\Program Files\Video Add-on\ictmdl.dll" [file not found]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}\(Default) = "IE Custom Tools"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\Video Add-on\ictmdl.dll" [file not found]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]


{300DB664-75B5-47C0-8B45-A44ACCF73C00}\

"ButtonText" = "IE Shield"

"MenuText" = "IE Shield..."

"CLSIDExtension" = "{0928F506-07E8-470c-979D-147C296D4879}"

  -> {HKLM...CLSID} = "F-Secure IE Shield COM button"

                   \InProcServer32\(Default) = "C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll" ["F-Secure Corporation"]


{DE60714F-AC17-427E-861A-FD60CBDF119A}\

"ButtonText" = "Ň×ȤąşÎď"

"MenuText" = "Ň×ȤąşÎď"

"Exec" = "http://click2.ad4all.net/url2/urlmanage/url.asp?id=1" [file not found]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


{FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1}\

"ButtonText" = "Upload"

"CLSIDExtension" = "{FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1}"

  -> {HKLM...CLSID} = "FDMUploadBtnForIe Class"

                   \InProcServer32\(Default) = "C:\Program Files\Free Download Manager\FUM\fumiebtn.dll" [null data]



Miscellaneous IE Hijack Points

------------------------------


C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")


Added lines (compared with English-language version):

[Strings]: START_PAGE_URL=http://intranet


Missing lines (compared with English-language version):

[Strings]: 1 line


HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

<> "Tabs" = "res://ieframe.dll/tabswelcome.htm" [file not found]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}

F-Secure Automatic Update, BackWeb Plug-in - 7681197, "C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE" ["F-Secure Automatic Update"]

F-Secure Network Request Broker, F-Secure Network Request Broker, ""C:\Program Files\F-Secure\Common\FNRB32.EXE"" ["F-Secure Corporation"]

fsbwsys, fsbwsys, ""C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe"" ["F-Secure Corp."]

FSGKHS, F-Secure Gatekeeper Handler Starter, ""C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe"" ["F-Secure Corp."]

FSMA, FSMA, ""C:\Program Files\F-Secure\Common\FSMA32.EXE"" ["F-Secure Corporation"]

SMS Agent Host, CcmExec, "C:\WINDOWS\system32\CCM\CcmExec.exe" [null data]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



---------- (launch time: 2007-11-28 09:11:56)

<>: Suspicious data at a browser hijack point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 36 seconds.

---------- (total run time: 135 seconds)

HijackThis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 07:26:51, on 07-11-27

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal


Running processes:

C:\Program Files\F-Secure\Common\FSM32.EXE

C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe

C:\Program Files\F-Secure\FSGUI\fsguidll.exe

C:\Program Files\Ringz Studio\Storm Codec\qttask.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Free Download Manager\FUM\fumoei.exe

C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe

C:\WINDOWS\system32\WISPTIS.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\explorer.exe

C:\PROGRA~1\FREEDO~1\fdm.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\foobar2000\foobar2000.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.5.171:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.176.50;192.168.71.173;192.168.176.74;192.168.96.*;192.168.6.132;192.168.*;10.10.*;*.nom44.*;s06.*;*.exatel.sa;

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: (no name) - {274c0420-ebe0-4f1d-b473-edd1aa9b85dd} - (no file)

O2 - BHO: MSVPS System - {3ADCBC16-19FA-4C59-9C22-E17C71B5FD7A} - C:\WINDOWS\bndsrdkq.dll

O2 - BHO: (no name) - {43BF8E0C-886D-4103-8DDB-2DFE0E8A0168} - C:\Program Files\Video Add-on\isfmdl.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll

O3 - Toolbar: (no name) - {1a29a79a-b9c8-44a9-bedf-7fadde3cf33f} - (no file)

O3 - Toolbar: (no name) - {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} - (no file)

O3 - Toolbar: The netadv - {ABF529BE-6245-465A-BBD4-238C4EAB0F0A} - C:\WINDOWS\netadv.dll

O3 - Toolbar: IE Custom Tools - {6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16} - C:\Program Files\Video Add-on\ictmdl.dll (file missing)

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Ringz Studio\Storm Codec\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU\..\Run: [Free Upload Manager] "C:\Program Files\Free Download Manager\fum\fum.exe" -autorun

O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe

O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll

O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll

O9 - Extra button: Ň×ȤąşÎď - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)

O9 - Extra 'Tools' menuitem: Ň×ȤąşÎď - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll

O14 - IERESET.INF: START_PAGE_URL=http://intranet

O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_70.cab

O16 - DPF: {4539348E-01D7-11D5-9A39-0080C8D85044} (GameDesire Slots 90th) - http://67.15.101.3/g_bin/pl/slots90_2_0_0_29.cab

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140604853086

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140604839520

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {A6916797-7ABD-4F07-93AE-098B6F543129} (CO2Player Class) - http://www.lemontv.pl/lmctrlp.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - http://game09.zylom.com/activex/zylomgamesplayer.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_24.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = exatel.sa

O17 - HKLM\Software\..\Telephony: DomainName = exatel.sa

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = exatel.sa

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = exatel.sa

O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE

O23 - Service: SMS Agent Host (CcmExec) - Unknown owner - C:\WINDOWS\system32\CCM\CcmExec.exe

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe

O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE

O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe

O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O24 - Desktop Component 0: (no name) - http://www.programs.pl/images/pobierz.gif

O24 - Desktop Component 1: (no name) - http://www.megastacja.net/theme/ms/images/kanalsy_12.gif

O24 - Desktop Component 2: (no name) - https://poczta.skorpion-security.com.pl/images/skorpion.png

O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/ochrona/USTAWI~1/Temp/msohtml1/01/clip_image001.png

O24 - Desktop Component 4: (no name) - file:///C:/DOCUME~1/ochrona/USTAWI~1/Temp/msohtml1/01/clip_image002.jpg

O24 - Desktop Component 5: (no name) - file:///C:/DOCUME~1/ochrona/USTAWI~1/Temp/msohtml1/01/clip_image001.jpg


--

End of file - 8388 bytes

(Monczkin) #2

Archibal jak wklejasz logi, to opisz konkretnie problem. BTW - od takich tematów jest dział bezpieczeństwo.


(Tykfa7) #3

oki sorki już pisze w czym rzecz , objaw infekcji to okienka i reklamy o twierających się samoistnie które przekierowywją na inne strony oraz nie ma możliwości ustawienia strony startowej/domowej tylko w pasku strony wyskakuje takie cóś :smiley: about:blank


(Kaka') #4

Archibal proszę zapoznaj się z tą stroną oraz tym tematem, a następnie popraw tytuł tematu, używając przycisku icon_edit.gif


(Gutek) #5

Użyj SmitFraudFix wybierz opcji nr 2 , oczywiście w trybie awaryjnym i po tym - Daj log z ComboFix