Problem z dziwnymi plikami


(Ujsoly) #1

Mam problemy z plikami znajdujacymi sie w : C:\Documents and Settings\xxx\Ustawienia lokalne\Temp.

Mniej wiecej co 3 minuty MKS chce je usunac lub zablokowac ich laczenie sie z internetem. I sa to caly czas nowe pliki zmieniaja sie tylko ich nazwy. MKS rozpoznaje je jako trojany. Probowalem usuwac je recznie lecz to nic niedaje tworza sie od nowa.

Pliki te wygladaja tak:

todoaq1.png

oto moje logi:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:28:05, on 2007-09-23

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\hphmon05.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\mks_vir_2007\bin\mks_mail.exe

C:\Program Files\mks_vir_2007\bin\mkstray.exe

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\Program Files\sXe Injected\sXe Injected.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\Program Files\Tenda\TWL541U\Mrv8000x.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\mks_vir_2007\bin\MksFwall.exe

C:\Program Files\mks_vir_2007\bin\MksPC.exe

C:\Program Files\mks_vir_2007\bin\mksupdate.exe

C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\mks_vir_2007\bin\mks_scan.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\Program Files\Spybot - Search Destroy\SpybotSD.exe

C:\WINDOWS\System32\WScript.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://ssl.netia.pl/net24/aktywacja/start.do

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O1 - Hosts: 216.107.242.199 l2authd.lineage2.com

O2 - BHO: Spybot-SD IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [HP Component Manager] ;"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [mks_mail] C:\Program Files\mks_vir_2007\bin\mks_mail.exe

O4 - HKLM\..\Run: [mkstray] C:\Program Files\mks_vir_2007\bin\mkstray.exe

O4 - HKLM\..\Run: [NeroFilterCheck] ;C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [sXe Injected] C:\Program Files\sXe Injected\sXe Injected.exe

O4 - HKLM\..\Run: [WheelMouse] ;C:\Program Files\A4Tech\Mouse\Amoumain.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [] ;Start

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Fraps] ;C:\Fraps\FRAPS.EXE

O4 - HKCU\..\Run: [MSMSGS] ;"C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\Run: [NETIANET] C:\Program Files\Netia\Net\netianet.exe (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: TWL541U.lnk = ?

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\\mkslsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\\mkslsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\\mkslsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\\mkslsp.dll

O23 - Service: MksFwall - MKS Sp z o.o. - C:\Program Files\mks_vir_2007\bin\MksFwall.exe

O23 - Service: MksPC - Unknown owner - C:\Program Files\mks_vir_2007\bin\MksPC.exe

O23 - Service: MksUpdate - MKS Sp. z o. o. - C:\Program Files\mks_vir_2007\bin\mksupdate.exe

O23 - Service: mks_vir file monitor (MksVirMonSvc) - Unknown owner - C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe

O23 - Service: MkS_Scan - Unknown owner - C:\Program Files\mks_vir_2007\bin\mks_scan.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe


--

End of file - 6096 bytes

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"Fraps" = ";C:\Fraps\FRAPS.EXE" [file not found]

"MSMSGS" = ";"C:\Program Files\Messenger\msmsgs.exe" /background" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

".nvsvc" = "C:\WINDOWS\system\smss.exe /w" [null data]

"CTHelper" = "CTHELPER.EXE" [file not found]

"HP Component Manager" = ";"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" [file not found]

"HP Software Update" = ""c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"" ["Hewlett-Packard"]

"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" ["HP"]

"HPHmon05" = "C:\WINDOWS\system32\hphmon05.exe" ["Hewlett-Packard"]

"HPHUPD05" = "c:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" ["Hewlett-Packard"]

"ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup" ["InstallShield Software Corporation"]

"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]

"KernelFaultCheck" = "%systemroot%\system32\dumprep 0 -k" [MS]

"mks_mail" = "C:\Program Files\mks_vir_2007\bin\mks_mail.exe" ["MkS Sp. z o.o."]

"mkstray" = "C:\Program Files\mks_vir_2007\bin\mkstray.exe" ["MKS Sp z o.o."]

"NeroFilterCheck" = ";C:\WINDOWS\system32\NeroCheck.exe" [file not found]

"PCSuiteTrayApplication" = "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup" ["Nokia"]

"sXe Injected" = "C:\Program Files\sXe Injected\sXe Injected.exe" ["sXe Injected"]

"WheelMouse" = ";C:\Program Files\A4Tech\Mouse\Amoumain.exe" [file not found]

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"(Default)" = ";Start" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  - {HKLM...CLSID} = "Spybot-SD IE Protection"

                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  - {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  - {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  - {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "Nokia Phone Browser"

  - {HKLM...CLSID} = "Nokia Phone Browser"

                   \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  - {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\

"AppInit_DLLs" = (value not set)


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

MkS_Vir\(Default) = "{E64226E0-9DA1-479E-8265-8D65BA327BD4}"

  - {HKLM...CLSID} = "MkS_Vir Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\mks_vir_2007\bin\mksshell.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

MkS_Vir\(Default) = "{E64226E0-9DA1-479E-8265-8D65BA327BD4}"

  - {HKLM...CLSID} = "MkS_Vir Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\mks_vir_2007\bin\mksshell.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]



Startup items in "Kuba" "All Users" startup folders:

------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"DSLMON" - shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe" [empty string]

"Microsoft Office" - shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]

"TWL541U" - shortcut to: "C:\Program Files\Tenda\TWL541U\Mrv8000x.exe" ["Tenda"]



Enabled Scheduled Tasks:

------------------------


"HP Usg Daily" - launches: "c:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe" [empty string]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\Program Files\mks_vir_2007\bin\\mkslsp.dll [null data], 01 - 03, 09

%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 10 - 31

%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08



Toolbars, Explorer Bars, Extensions:

------------------------------------


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\

"MenuText" = "Spybot - Search Destroy Configuration"

"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"

  - {HKLM...CLSID} = "Spybot-SD IE Protection"

                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



HOSTS file

----------


C:\WINDOWS\System32\drivers\etc\HOSTS


maps: 2 domain names to IP addresses,

      1 of the IP addresses is *not* localhost!



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


MkS_Scan, MkS_Scan, "C:\Program Files\mks_vir_2007\bin\mks_scan.exe" [empty string]

mks_vir file monitor, MksVirMonSvc, "C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe" [null data]

MksFwall, MksFwall, ""C:\Program Files\mks_vir_2007\bin\MksFwall.exe"" ["MKS Sp z o.o."]

MksPC, MksPC, ""C:\Program Files\mks_vir_2007\bin\MksPC.exe"" [null data]

MksUpdate, MksUpdate, ""C:\Program Files\mks_vir_2007\bin\mksupdate.exe"" ["MKS Sp. z o. o."]

Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]

ServiceLayer, ServiceLayer, ""C:\Program Files\PC Connectivity Solution\ServiceLayer.exe"" ["Nokia."]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzlnt09\Driver = "hpzlnt09.dll" ["HP"]



---------- (launch time: 2007-09-23 12:28:56)

: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 48 seconds, including 4 seconds for message boxes)

Prosze o pomoc w ich usunieciu!


(Agatonster) #2

popielniczka

Na Forum używamy polskich znaków.

Proszę poprawić pisownię w opisie problemu.

W celu edycji swojego posta proszę skorzystać z przycisku icon_edit.gif

Zignorowanie prośby będzie skutkowało usunięciem tematu do Kosza.

Temat przenoszę do właściwego działu.


(Bbieniol) #3

Użyj narzędzia -> ComboFix

Pobierz narzędzie SDFix i przejdź do trybu awaryjnego:

Będąc już w trybie awaryjnym odpal SDFix (wypakuje się do folderu: C:\SDFix) i uruchom tam plik: RunThis.bat. Potwierdzasz czyszczenie za pomocą klawisza Y i cierpliwie czekasz.

Po tym wklejasz nowe logi + log z ComboFix + raport z SDFix :slight_smile:


(Ujsoly) #4

Z ComboFix nie wkleje bo mam blad krytyczny systemu jak to odpale pod nazwa: BAD_POOL_HEADER

hijack this:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:01:54, on 2007-09-26

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\WINDOWS\system32\hphmon05.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\mks_vir_2007\bin\mks_mail.exe

C:\Program Files\mks_vir_2007\bin\mkstray.exe

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\Program Files\sXe Injected\sXe Injected.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\Program Files\Tenda\TWL541U\Mrv8000x.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\mks_vir_2007\bin\MksFwall.exe

C:\Program Files\mks_vir_2007\bin\MksPC.exe

C:\Program Files\mks_vir_2007\bin\mksupdate.exe

C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://ssl.netia.pl/net24/aktywacja/start.do

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [HP Component Manager] ;"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [mks_mail] C:\Program Files\mks_vir_2007\bin\mks_mail.exe

O4 - HKLM\..\Run: [mkstray] C:\Program Files\mks_vir_2007\bin\mkstray.exe

O4 - HKLM\..\Run: [NeroFilterCheck] ;C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [sXe Injected] C:\Program Files\sXe Injected\sXe Injected.exe

O4 - HKLM\..\Run: [WheelMouse] ;C:\Program Files\A4Tech\Mouse\Amoumain.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Fraps] ;C:\Fraps\FRAPS.EXE

O4 - HKCU\..\Run: [MSMSGS] ;"C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\Run: [NETIANET] C:\Program Files\Netia\Net\netianet.exe (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: TWL541U.lnk = ?

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\\mkslsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\\mkslsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\\mkslsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\\mkslsp.dll

O23 - Service: MksFwall - MKS Sp z o.o. - C:\Program Files\mks_vir_2007\bin\MksFwall.exe

O23 - Service: MksPC - Unknown owner - C:\Program Files\mks_vir_2007\bin\MksPC.exe

O23 - Service: MksUpdate - MKS Sp. z o. o. - C:\Program Files\mks_vir_2007\bin\mksupdate.exe

O23 - Service: mks_vir file monitor (MksVirMonSvc) - Unknown owner - C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe

O23 - Service: MkS_Scan - Unknown owner - C:\Program Files\mks_vir_2007\bin\mks_scan.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe


--

End of file - 5801 bytes

Sdfix:

SDFix: Version 1.107


Run by Administrator on 2007-09-26 at 17:48


Microsoft Windows XP [Wersja 5.1.2600]


Running From: C:\SDFix


Safe Mode:

Checking Services: 



Restoring Windows Registry Values

Restoring Windows Default Hosts File


Rebooting...



Normal Mode:

Checking Files: 


Trojan Files Found:


C:\WINDOWS\system\smss.exe - Deleted




Removing Temp Files...


ADS Check:


C:\WINDOWS

No streams found. 


C:\WINDOWS\system32

No streams found. 


C:\WINDOWS\system32\svchost.exe

No streams found.


C:\WINDOWS\system32\ntoskrnl.exe

No streams found.




                                 Final Check:


Remaining Services:

------------------





Authorized Application Key Export:


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program g˘wny"

"C:\\DOCUME~1\\Kuba\\USTAWI~1\\Temp\\81exinjs.aa.exe"="C:\\DOCUME~1\\Kuba\\USTAWI~1\\Temp\\81exinjs.aa.exe:*:Enabled:Microsoft Update"

"C:\\DOCUME~1\\Kuba\\USTAWI~1\\Temp\\98exinjs.aa.exe"="C:\\DOCUME~1\\Kuba\\USTAWI~1\\Temp\\98exinjs.aa.exe:*:Enabled:Microsoft Update"

"C:\\DOCUME~1\\Kuba\\USTAWI~1\\Temp\\79exinjs.aa.exe"="C:\\DOCUME~1\\Kuba\\USTAWI~1\\Temp\\79exinjs.aa.exe:*:Enabled:Microsoft Update"

"C:\\DOCUME~1\\Kuba\\USTAWI~1\\Temp\\39exinjs.aa.exe"="C:\\DOCUME~1\\Kuba\\USTAWI~1\\Temp\\39exinjs.aa.exe:*:Enabled:Microsoft Update"

"C:\\DOCUME~1\\Kuba\\USTAWI~1\\Temp\\56exinjs.aa.exe"="C:\\DOCUME~1\\Kuba\\USTAWI~1\\Temp\\56exinjs.aa.exe:*:Enabled:Microsoft Update"

"C:\\DOCUME~1\\Kuba\\USTAWI~1\\Temp\\64exinjs.aa.exe"="C:\\DOCUME~1\\Kuba\\USTAWI~1\\Temp\\64exinjs.aa.exe:*:Enabled:Microsoft Update"

"C:\\DOCUME~1\\Kuba\\USTAWI~1\\Temp\\97exinjs.aa.exe"="C:\\DOCUME~1\\Kuba\\USTAWI~1\\Temp\\97exinjs.aa.exe:*:Enabled:Microsoft Update"

"C:\\DOCUME~1\\Kuba\\USTAWI~1\\Temp\\53exinjs.aa.exe"="C:\\DOCUME~1\\Kuba\\USTAWI~1\\Temp\\53exinjs.aa.exe:*:Enabled:Microsoft Update"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:

---------------


File Backups: - C:\SDFix\backups\backups.zip


Files with Hidden Attributes:


Sat 1 Sep 2007 643,072 A..H. --- "C:\Lineage II C5\system\l2.exe"

Tue 10 Jul 2007 25,802,312 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\510fd197909dd722575ec6e361c56938\BIT1D.tmp"


Finished!

(Gutek) #5

Użyj ATF-Cleaner i oczyść TEMP - http://www.atribune.org/ccount/click.php?id=1


(Ujsoly) #6

Dziekuje za pomoc. Jak narazie nic sie nie pojawilo. Jesli sie jednak to powtorzy to napisze znowu:P Dzieki