Problem z wormem (sality_u)

Dla specjalistów Bezpieczeństwo
#1

mam problem z jednym robalem.

infekuje plik …\system32\wdmfmc32.dll (o tym wiem) i nie wiem co z tym zrobic

mks go wykrywa od razu przy starcie, przy usunieciu go wlaczaja sie wszystkie programy (z explorerem wlacznie), potem alert wyskakuje co jakis czas a po usuwaniu wraca

killnolem go juz killboxem (z rebootem i bez) ale bezskutecznie.

sciagnalem Prevx1 - wykrywa go, robi cleenupa, rebootuje… i nic, po restarcie to samo.

wie ktos jak sie tego ustrojstwa pozbyc?

pelny log z hjt:

StartupList report, 2006-06-04, 18:31:19

StartupList version: 1.52.2

Started from : D:\Documents and Settings\bartek\Pulpit\HijackThis.EXE

Detected: Windows XP (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 (6.00.2600.0000)

* Using default options

* Including empty and uninteresting sections

* Showing rarely important sections

==================================================


Running processes:


D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\System32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\Explorer.EXE

D:\Program Files\MKS\Bin\mks_menu.exe

D:\Program Files\MKS\Bin\ABregmon.exe

D:\Program Files\VIAudioi\SBADeck\ADeck.exe

E:\Program Files\DAEMON Tools\daemon.exe

D:\WINDOWS\System32\ctfmon.exe

D:\Program Files\Messenger\msmsgs.exe

D:\Program Files\MKS\Bin\NetMonSV.exe

D:\Program Files\MKS\Bin\mksmonsv.exe

E:\Program Files\Opera\Opera.exe

D:\WINDOWS\System32\wuauclt.exe

D:\Program Files\MKS\Bin\mks_scan.exe

D:\Documents and Settings\bartek\Pulpit\HijackThis.exe


--------------------------------------------------


Listing of startup folders:


Shell folders Startup:

[D]

*No files*


Shell folders AltStartup:

*Folder not found*


User shell folders Startup:

*Folder not found*


User shell folders AltStartup:

*Folder not found*


Shell folders Common Startup:

[D]

Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

ATI CATALYST System Tray.lnk = D:\Program Files\ATI Technologies\ATI.ACE\CLI.exe


Shell folders Common AltStartup:

*Folder not found*


User shell folders Common Startup:

*Folder not found*


User shell folders Alternate Common Startup:

*Folder not found*


--------------------------------------------------


Checking Windows NT UserInit:


[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = D:\WINDOWS\system32\userinit.exe,


[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*


[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

*Registry value not found*


[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*


--------------------------------------------------


Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run


ATIPTA = D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

(Default) = 

MKS_MENU = D:\Program Files\MKS\Bin\mks_menu.exe

ABREGMON = D:\Program Files\MKS\Bin\ABregmon.exe

AudioDeck = D:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 

NeroFilterCheck = D:\WINDOWS\system32\NeroCheck.exe

DAEMON Tools = "e:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

PrevxOne = D:\Program Files\Prevx1\PXConsole.exe


--------------------------------------------------


Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce


*No values found*


--------------------------------------------------


Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx


*No values found*


--------------------------------------------------


Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices


*Registry key not found*


--------------------------------------------------


Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce


*Registry key not found*


--------------------------------------------------


Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run


CTFMON.EXE = D:\WINDOWS\System32\ctfmon.exe

MSMSGS = "D:\Program Files\Messenger\msmsgs.exe" /background


--------------------------------------------------


Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce


*Registry key not found*


--------------------------------------------------


Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx


*Registry key not found*


--------------------------------------------------


Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices


*Registry key not found*


--------------------------------------------------


Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce


*Registry key not found*


--------------------------------------------------


Autorun entries from Registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run


*Registry key not found*


--------------------------------------------------


Autorun entries from Registry:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run


*Registry key not found*


--------------------------------------------------


Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run


[OptionalComponents]

*No values found*


--------------------------------------------------


Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*


--------------------------------------------------


Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No subkeys found*


--------------------------------------------------


Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*


--------------------------------------------------


Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*


--------------------------------------------------


Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No subkeys found*


--------------------------------------------------


Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*Registry key not found*


--------------------------------------------------


Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*


--------------------------------------------------


Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*


--------------------------------------------------


Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*


--------------------------------------------------


Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*


--------------------------------------------------


Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*


--------------------------------------------------


File association entry for .EXE:

HKEY_CLASSES_ROOT\exefile\shell\open\command


(Default) = "%1" %*


--------------------------------------------------


File association entry for .COM:

HKEY_CLASSES_ROOT\comfile\shell\open\command


(Default) = "%1" %*


--------------------------------------------------


File association entry for .BAT:

HKEY_CLASSES_ROOT\batfile\shell\open\command


(Default) = "%1" %*


--------------------------------------------------


File association entry for .PIF:

HKEY_CLASSES_ROOT\piffile\shell\open\command


(Default) = "%1" %*


--------------------------------------------------


File association entry for .SCR:

HKEY_CLASSES_ROOT\scrfile\shell\open\command


(Default) = "%1" /S


--------------------------------------------------


File association entry for .HTA:

HKEY_CLASSES_ROOT\htafile\shell\open\command


(Default) = D:\WINDOWS\System32\mshta.exe "%1" %*


--------------------------------------------------


File association entry for .TXT:

HKEY_CLASSES_ROOT\txtfile\shell\open\command


(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1


--------------------------------------------------


Enumerating Active Setup stub paths:

HKLM\Software\Microsoft\Active Setup\Installed Components

(* = disabled by HKCU twin)


[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *

StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP


[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT


[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *

StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll


[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install


[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT


[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser


[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\wmp.inf,PerUserStub


[{7790769C-0471-11d2-AF11-00C04FA35D02}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install


[{89820200-ECBD-11cf-8B85-00AA005B4340}] *

StubPath = regsvr32.exe /s /n /i:U shell32.dll


[{89820200-ECBD-11cf-8B85-00AA005B4383}] *

StubPath = %SystemRoot%\system32\ie4uinit.exe


[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *

StubPath = D:\WINDOWS\System32\Rundll32.exe D:\WINDOWS\System32\mscories.dll,Install


[{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}] *

StubPath = rundll32 iesetup.dll,IEAccessUserInst


--------------------------------------------------


Enumerating ICQ Agent Autostart apps:

HKCU\Software\Mirabilis\ICQ\Agent\Apps


*Registry key not found*


--------------------------------------------------


Load/Run keys from D:\WINDOWS\WIN.INI:


load=*INI section not found*

run=*INI section not found*


Load/Run keys from Registry:


HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=

HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=


--------------------------------------------------


Shell & screensaver key from D:\WINDOWS\SYSTEM.INI:


Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*


Shell & screensaver key from Registry:


Shell=Explorer.exe

SCRNSAVE.EXE=*Registry value not found*

drivers=*Registry value not found*


Policies Shell key:


HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*


--------------------------------------------------


Checking for EXPLORER.EXE instances:


D:\WINDOWS\Explorer.exe: PRESENT!


C:\Explorer.exe: not present

D:\WINDOWS\Explorer\Explorer.exe: not present

D:\WINDOWS\System\Explorer.exe: not present

D:\WINDOWS\System32\Explorer.exe: not present

D:\WINDOWS\Command\Explorer.exe: not present

D:\WINDOWS\Fonts\Explorer.exe: not present


--------------------------------------------------


Checking for superhidden extensions:


.lnk: HIDDEN! (arrow overlay: yes)

.pif: HIDDEN! (arrow overlay: yes)

.exe: not hidden

.com: not hidden

.bat: not hidden

.hta: not hidden

.scr: not hidden

.shs: HIDDEN!

.shb: HIDDEN!

.vbs: not hidden

.vbe: not hidden

.wsh: not hidden

.scf: HIDDEN! (arrow overlay: NO!)

.url: HIDDEN! (arrow overlay: yes)

.js: not hidden

.jse: not hidden


--------------------------------------------------


Verifying REGEDIT.EXE integrity:


- Regedit.exe found in D:\WINDOWS

- .reg open command is normal (regedit.exe %1)

- Company name OK: 'Microsoft Corporation'

- Original filename OK: 'REGEDIT.EXE'

- File description: 'Edytor rejestru'


Registry check passed


--------------------------------------------------


Enumerating Browser Helper Objects:


(no name) - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - e:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

Malicious Scripts Scanner - D:\Documents and Settings\All Users\Dane aplikacji\Prevx\pxbho.dll - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB}


--------------------------------------------------


Enumerating Task Scheduler jobs:


*No jobs found*


--------------------------------------------------


Enumerating Winsock LSP files:


NameSpace #1: D:\WINDOWS\System32\mswsock.dll

NameSpace #2: D:\WINDOWS\System32\winrnr.dll

NameSpace #3: D:\WINDOWS\System32\mswsock.dll

Protocol #1: D:\WINDOWS\system32\mswsock.dll

Protocol #2: D:\WINDOWS\system32\mswsock.dll

Protocol #3: D:\WINDOWS\system32\mswsock.dll

Protocol #4: D:\WINDOWS\system32\rsvpsp.dll

Protocol #5: D:\WINDOWS\system32\rsvpsp.dll

Protocol #6: D:\WINDOWS\system32\mswsock.dll

Protocol #7: D:\WINDOWS\system32\mswsock.dll

Protocol #8: D:\WINDOWS\system32\mswsock.dll

Protocol #9: D:\WINDOWS\system32\mswsock.dll

Protocol #10: D:\WINDOWS\system32\mswsock.dll

Protocol #11: D:\WINDOWS\system32\mswsock.dll

Protocol #12: D:\WINDOWS\system32\mswsock.dll

Protocol #13: D:\WINDOWS\system32\mswsock.dll


--------------------------------------------------


Enumerating Windows NT/2000/XP services


ArcaBit NetMonitor: D:\Program Files\MKS\Bin\NetMonSV.exe (autostart)

ABTDI: \??\D:\Program Files\MKS\Bin\ABTDI.sys (system)

Sterownik Microsoft ACPI: System32\DRIVERS\ACPI.sys (system)

Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)

Środowisko obsługi sieci AFD: \SystemRoot\System32\drivers\afd.sys (autostart)

Urządzenie alarmowe: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)

Usługa bramy warstwy aplikacji: %SystemRoot%\System32\alg.exe (manual start)

Zarządzanie aplikacjami: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)

Sterownik multimediów asynchronicznych RAS: System32\DRIVERS\asyncmac.sys (manual start)

Standardowy kontroler dysku twardego IDE/ESDI: System32\DRIVERS\atapi.sys (system)

Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)

ATI Smart: D:\WINDOWS\system32\ati2sgag.exe (autostart)

ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)

Protokół klienta ARP ATM: System32\DRIVERS\atmarpc.sys (manual start)

Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Sterownik Audio Stub: System32\DRIVERS\audstub.sys (manual start)

Usługa inteligentnego transferu w tle: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Przeglądarka komputera: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Sterownik stacji dysków CD-ROM: System32\DRIVERS\cdrom.sys (system)

Usługa indeksowania: D:\WINDOWS\System32\cisvc.exe (manual start)

ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)

Aplikacja systemowa modelu COM+: D:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)

Usługi kryptograficzne: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Klient DHCP: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Sterownik dysku: System32\DRIVERS\disk.sys (system)

Usługa administracyjna Menedżera dysków logicznych: %SystemRoot%\System32\dmadmin.exe /com (manual start)

dmboot: System32\drivers\dmboot.sys (disabled)

Sterownik Menedżera dysków logicznych: System32\drivers\dmio.sys (system)

dmload: System32\drivers\dmload.sys (system)

Menedżer dysków logicznych: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Syntezator Microsoft Kernel DLS: system32\drivers\DMusic.sys (manual start)

Klient DNS: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)

Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)

dtscsi: \SystemRoot\System32\Drivers\dtscsi.sys (manual start)

Usługa raportowania błędów: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Dziennik zdarzeń: %SystemRoot%\system32\services.exe (autostart)

System zdarzeń COM+: D:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)

Zgodność szybkiego przełączania użytkowników: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Sterownik kontrolera stacji dyskietek: System32\DRIVERS\fdc.sys (manual start)

Sterownik stacji dyskietek: System32\DRIVERS\flpydisk.sys (manual start)

Sterownik Menedżera woluminów: System32\DRIVERS\ftdisk.sys (system)

Licznik portów gier: System32\DRIVERS\gameenum.sys (manual start)

Rodzajowy klasyfikator pakietu: System32\DRIVERS\msgpc.sys (manual start)

Pomoc i obsługa techniczna: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Dostęp do urządzeń interfejsu HID: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

Sterownik portu klawiatury i8042 i myszy PS/2: System32\DRIVERS\i8042prt.sys (system)

Usługa COM nagrywania dysków CD IMAPI: D:\WINDOWS\System32\imapi.exe (manual start)

Sterownik filtru ruchu IP: System32\DRIVERS\ipfltdrv.sys (manual start)

Sterownik IP w tunelu IP: System32\DRIVERS\ipinip.sys (manual start)

Translator adresów sieciowych IP: System32\DRIVERS\ipnat.sys (manual start)

Sterownik IPSEC: System32\DRIVERS\ipsec.sys (system)

Usługa wyliczania IR: System32\DRIVERS\irenum.sys (manual start)

Sterownik PnP magistrali ISA/EISA: System32\DRIVERS\isapnp.sys (system)

Sterownik klasy klawiatury: System32\DRIVERS\kbdclass.sys (system)

Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)

Serwer: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Stacja robocza: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Pomoc TCP/IP NetBIOS: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)

Posłaniec: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

MkS_Mon Kernel Engine: \??\D:\Program Files\MKS\Bin\MksMonEn.sys (manual start)

MkS_Mon Kernel Events: \??\D:\Program Files\MKS\Bin\MksMonEv.sys (manual start)

MkS_Mon Kernel Filter Driver: \??\D:\Program Files\MKS\Bin\MksMonFd.sys (manual start)

MkSUpdateInt: D:\Program Files\MKS\bin\MkSUpdateInt.exe (manual start)

MkS_Vir Monitor: D:\Program Files\MKS\Bin\mksmonsv.exe (autostart)

MkS_Scan: D:\Program Files\MKS\Bin\mks_scan.exe (manual start)

NetMeeting Remote Desktop Sharing: D:\WINDOWS\System32\mnmsrvc.exe (manual start)

Sterownik klasy myszy: System32\DRIVERS\mouclass.sys (system)

Readresator klienta WebDav: System32\DRIVERS\mrxdav.sys (manual start)

MRXSMB: System32\DRIVERS\mrxsmb.sys (system)

Distributed Transaction Coordinator: D:\WINDOWS\System32\msdtc.exe (manual start)

Instalator Windows: D:\WINDOWS\System32\msiexec.exe /V (manual start)

Serwer proxy usługi Microsoft Streaming: system32\drivers\MSKSSRV.sys (manual start)

Serwer proxy zegara Microsoft Streaming: system32\drivers\MSPCLOCK.sys (manual start)

Serwer proxy menedżera jakości Microsoft Streaming: system32\drivers\MSPQM.sys (manual start)

Sterownik usługi Dostęp zdalny NDIS TAPI: System32\DRIVERS\ndistapi.sys (manual start)

Protokół We/Wy trybu użytkownika NDIS: System32\DRIVERS\ndisuio.sys (manual start)

Sterownik usługi Dostęp zdalny NDIS WAN: System32\DRIVERS\ndiswan.sys (manual start)

Interfejs NetBIOS: System32\DRIVERS\netbios.sys (system)

NetBios przez TCP/IP: System32\DRIVERS\netbt.sys (system)

DDE sieci: %SystemRoot%\system32\netdde.exe (manual start)

DSDM DDE sieci: %SystemRoot%\system32\netdde.exe (manual start)

Logowanie do sieci: %SystemRoot%\System32\lsass.exe (manual start)

Połączenia sieciowe: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

RCA USB Digital Cable Modem Driver: System32\DRIVERS\netrcacm.sys (manual start)

Rozpoznawanie lokalizacji w sieci (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Usługa NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)

Magazyn wymienny: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

Sterownik filtru ruchu IPX: System32\DRIVERS\nwlnkflt.sys (manual start)

Sterownik usług przesyłania dalej ruchu IPX: System32\DRIVERS\nwlnkfwd.sys (manual start)

Sterownik portu równoległego: System32\DRIVERS\parport.sys (manual start)

Sterownik magistrali PCI: System32\DRIVERS\pci.sys (system)

Plug and Play: %SystemRoot%\system32\services.exe (autostart)

Usługi IPSEC: %SystemRoot%\System32\lsass.exe (autostart)

WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)

Prevx Agent: "D:\Program Files\Prevx1\PXAgent.exe" -f (autostart)

PREVX Kernel Mode Agent: system32\drivers\pxfsf.sys (system)

PREVX Emulator Driver: system32\drivers\pxemu.sys (manual start)

PREVX Tdi filter: system32\drivers\pxtdi.sys (system)

Sterownik procesora: System32\DRIVERS\processr.sys (system)

Magazyn chroniony: %SystemRoot%\system32\lsass.exe (autostart)

Harmonogram pakietów QoS: System32\DRIVERS\psched.sys (manual start)

Sterownik bezpośredniego połączenia kablowego: System32\DRIVERS\ptilink.sys (manual start)

PxHelp20: System32\Drivers\PxHelp20.sys (system)

PREVX Rootkitscan driver: \??\D:\WINDOWS\system32\drivers\pxrd.sys (manual start)

Sterownik automatycznego połączenia dostępu zdalnego: System32\DRIVERS\rasacd.sys (system)

Menedżer autopołączenia dostępu zdalnego: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)

Menedżer połączeń usługi Dostęp zdalny: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Sterownik usługi Dostęp zdalny PPPOE: System32\DRIVERS\raspppoe.sys (manual start)

Bezpośrednie połączenie kablowe: System32\DRIVERS\raspti.sys (manual start)

Rdbss: System32\DRIVERS\rdbss.sys (system)

RDPCDD: System32\DRIVERS\RDPCDD.sys (system)

Sterownik przekierowania urządzenia serwera terminali: System32\DRIVERS\rdpdr.sys (manual start)

Menedżer sesji pomocy pulpitu zdalnego: D:\WINDOWS\system32\sessmgr.exe (manual start)

Sterownik filtru odtwarzania audio cyfrowych dysków CD: System32\DRIVERS\redbook.sys (system)

Routing i dostęp zdalny: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

Rejestr zdalny: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)

Lokalizator usługi zdalnego wywołania procedury (RPC): %SystemRoot%\System32\locator.exe (manual start)

Zdalne wywoływanie procedur (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)

QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)

Sterownik NT karty Realtek RTL8139(A/B/C)-based PCI Fast Ethernet: System32\DRIVERS\RTL8139.SYS (manual start)

Menedżer kont zabezpieczeń: %SystemRoot%\system32\lsass.exe (autostart)

Pomocnik karty inteligentnej: %SystemRoot%\System32\SCardSvr.exe (manual start)

Karta inteligentna: %SystemRoot%\System32\SCardSvr.exe (manual start)

Harmonogram zadań: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Secdrv: System32\DRIVERS\secdrv.sys (autostart)

Logowanie pomocnicze: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Zawiadomienie o zdarzeniu systemowym: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Sterownik filtru Serenum: System32\DRIVERS\serenum.sys (manual start)

Sterownik portu szeregowego: System32\DRIVERS\serial.sys (system)

Zapora połączenia internetowego / Udostępnianie połączenia internetowego: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Wykrywanie sprzętu powłoki: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)

Bufor wydruku: %SystemRoot%\system32\spoolsv.exe (autostart)

Sterownik filtru Przywracania systemu: \SystemRoot\System32\DRIVERS\sr.sys (disabled)

Usługa przywracania systemu: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Srv: System32\DRIVERS\srv.sys (manual start)

Usługa odnajdywania SSDP: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)

Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)

Sterownik magistrali programowej: System32\DRIVERS\swenum.sys (manual start)

Syntezator tablicy dźwięków WAVE Microsoft Kernel GS: system32\drivers\swmidi.sys (manual start)

MS Software Shadow Copy Provider: D:\WINDOWS\System32\dllhost.exe /Processid:{FA1B09DE-6973-4D44-8827-97918E190206} (manual start)

Urządzenie audio Microsoft Kernel System: system32\drivers\sysaudio.sys (manual start)

Dzienniki wydajności i alerty: %SystemRoot%\system32\smlogsvc.exe (manual start)

Telefonia: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Sterownik protokołu TCP/IP: System32\DRIVERS\tcpip.sys (system)

Sterownik urządzenia terminalu: System32\DRIVERS\termdd.sys (system)

Usługi terminalowe: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Kompozycje: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Telnet: D:\WINDOWS\System32\tlntsvr.exe (manual start)

Klient śledzenia łączy rozproszonych: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Windows User Mode Driver Framework: D:\WINDOWS\System32\wdfmgr.exe (autostart)

Sterownik Microcode Update: System32\DRIVERS\update.sys (manual start)

Menedżer przekazywania: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Host uniwersalnego urządzenia Plug and Play: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)

Zasilacz awaryjny (UPS): %SystemRoot%\System32\ups.exe (manual start)

Koncentrator z obsługą USB2: System32\DRIVERS\usbhub.sys (manual start)

Sterownik Miniport uniwersalnego kontrolera hosta USB Microsoft: System32\DRIVERS\usbuhci.sys (manual start)

VgaSave: \SystemRoot\System32\drivers\vga.sys (system)

Filtr magistrali AGP VIA: System32\DRIVERS\viaagp.sys (system)

ViaIde: System32\DRIVERS\viaide.sys (system)

Vinyl AC'97 Audio Controller (WDM): system32\drivers\vinyl97.sys (manual start)

Kopiowanie woluminów w tle: %SystemRoot%\System32\vssvc.exe (manual start)

Usługa Czas systemu Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Sterownik usługi Dostęp zdalny IP ARP: System32\DRIVERS\wanarp.sys (manual start)

Sterownik zgodności audio Microsoft WINMM WDM: system32\drivers\wdmaud.sys (manual start)

WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)

Instrumentacja zarządzania Windows: %systemroot%\system32\svchost.exe -k netsvcs (autostart)

Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Rozszerzenia sterownika Instrumentacji zarządzania Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Karta wydajności WMI: D:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)

Aktualizacje automatyczne: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Konfiguracja zerowej sieci bezprzewodowej: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)



--------------------------------------------------


Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*


Windows NT checkdisk command:

BootExecute = autocheck autochk *


Windows NT 'Wininit.ini':

PendingFileRenameOperations: *Registry value not found*


--------------------------------------------------


Enumerating ShellServiceObjectDelayLoad items:


PostBootReminder: D:\WINDOWS\system32\SHELL32.dll

CDBurn: D:\WINDOWS\system32\SHELL32.dll

WebCheck: D:\WINDOWS\System32\webcheck.dll

SysTray: D:\WINDOWS\System32\stobject.dll


--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run


*Registry key not found*


--------------------------------------------------


Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run


*Registry key not found*


--------------------------------------------------


End of report, 30 236 bytes

Report generated in 0,361 seconds


Command line options:

   /verbose - to add additional info on each section

   /complete - to include empty sections and unsuspicious data

   /full - to include several rarely-important sections

   /force9x - to include Win9x-only startups even if running on WinNT

   /forcent - to include WinNT-only startups even if running on Win9x

   /forceall - to include all Win9x and WinNT startups, regardless of platform

   /history - to list version history only

log z sr

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "D:\WINDOWS\System32\ctfmon.exe" [MS]

"MSMSGS" = ""D:\Program Files\Messenger\msmsgs.exe" /background" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ATIPTA" = "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]

"(Default)" = (empty string)

"MKS_MENU" = "D:\Program Files\MKS\Bin\mks_menu.exe" ["MKS Sp. z o.o."]

"ABREGMON" = "D:\Program Files\MKS\Bin\ABregmon.exe" ["ArcaBit"]

"AudioDeck" = "D:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 " ["VIA Technologies, Inc."]

"NeroFilterCheck" = "D:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"DAEMON Tools" = ""e:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]

"PrevxOne" = "D:\Program Files\Prevx1\PXConsole.exe" ["Prevx"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "e:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}\(Default) = "Malicious Scripts Scanner"

  -> {HKLM...CLSID} = "URLDetector Class"

                   \InProcServer32\(Default) = "D:\Documents and Settings\All Users\Dane aplikacji\Prevx\pxbho.dll" ["Prevx Ltd."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"

  -> {HKLM...CLSID} = "SimpleShlExt Class"

                   \InProcServer32\(Default) = "D:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "e:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

MkS_Vir\(Default) = "{CC4245C0-D511-11D0-8918-444553540000}"

  -> {HKLM...CLSID} = "MkS_Vir Shell Extension"

                   \InProcServer32\(Default) = "D:\Program Files\MKS\Bin\MkSShell.dll" [null data]

MyPhoneExplorer\(Default) = "{C63D6E57-FE9E-43D7-B7ED-900DEB695D3E}"

  -> {HKLM...CLSID} = "MyPhoneExplorer_ShellEx.ShellExt"

                   \InProcServer32\(Default) = "e:\Program Files\MyPhoneExplorer\DLL\ShellMgr.dll" ["F.J. Wechselberger"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "e:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "e:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

MkS_Vir\(Default) = "{CC4245C0-D511-11D0-8918-444553540000}"

  -> {HKLM...CLSID} = "MkS_Vir Shell Extension"

                   \InProcServer32\(Default) = "D:\Program Files\MKS\Bin\MkSShell.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "e:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "D:\Documents and Settings\bartek\Dane aplikacji\Opera\Opera\profile\Skin\chaosad.bmp"



Startup items in "bartek" & "All Users" startup folders:

--------------------------------------------------------


D:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"ATI CATALYST System Tray" -> shortcut to: "D:\Program Files\ATI Technologies\ATI.ACE\CLI.exe SystemTray" [null data]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


ArcaBit NetMonitor, ABNetMon, "D:\Program Files\MKS\Bin\NetMonSV.exe" ["ArcaBit sp. z o.o."]

Ati HotKey Poller, Ati HotKey Poller, "D:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]

MkS_Scan, MkS_Scan, "D:\Program Files\MKS\Bin\mks_scan.exe" [empty string]

MkS_Vir Monitor, MksVirMonSvc, "D:\Program Files\MKS\Bin\mksmonsv.exe" [empty string]

Windows User Mode Driver Framework, UMWdf, "D:\WINDOWS\System32\wdfmgr.exe" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

  use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 120 seconds, including 4 seconds for message boxes)
#2

A przywracanie systemu wyłączyłeś ?,dopiero potem możesz usunąc,innaczej system stale go przywraca

#3

wylaczylem

#4

Logi wyglądają na czyste :roll:

Proponuje zainstalować SP2 :slight_smile:

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable. Po użyciu tego narzędzia wymagany jest reset sysa.

Ściągnij EWIDO, zrób Update i przeskanuj nim dysk :slight_smile:

#5

to znowu ja - nic nie pomaga

wszystko czym skanowalem wykyrwa i niby-usuwa, ale nic ;/

bitdefender zaczal mi nawet usuwac wszystkie zarazone pliki (czyli w praktyce prawie wszystkie exeki) łacznie z wdmfmc32.dll, z tym ze ten ostatni caly czas wraca ;/

czy to oznacza fatality?

ps. zainstalowanie sp2 powinno pomoc? (caly czas nie chce mi sie za to zabrac ;])

#6

Zastosowałeś się do tego:

?

Wrzuć jeszcze raz log z Hijacka i Silenta (z Hijacka daj zwykły log: Odpalasz --> Do a system scan and save a logfile i wklejasz) :slight_smile:

#7

uzylem wwdc

hj

Logfile of HijackThis v1.99.1 

Scan saved at 16:49:29, on 2006-06-07 

Platform: Windows XP (WinNT 5.01.2600) 

MSIE: Internet Explorer v6.00 (6.00.2600.0000) 


Running processes: 

D:\WINDOWS\System32\smss.exe 

D:\WINDOWS\system32\winlogon.exe 

D:\WINDOWS\system32\services.exe 

D:\WINDOWS\system32\lsass.exe 

D:\WINDOWS\system32\svchost.exe 

D:\WINDOWS\System32\svchost.exe 

D:\WINDOWS\system32\spoolsv.exe 

D:\WINDOWS\Explorer.EXE 

e:\Program Files\Alwil Software\Avast4\aswUpdSv.exe 

e:\Program Files\Alwil Software\Avast4\ashServ.exe 

e:\Program Files\ewido anti-malware\ewidoctrl.exe 

D:\Program Files\VIAudioi\SBADeck\ADeck.exe 

E:\Program Files\DAEMON Tools\daemon.exe 

E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe 

D:\WINDOWS\System32\ctfmon.exe 

D:\Program Files\Messenger\msmsgs.exe 

e:\Program Files\Alwil Software\Avast4\ashWebSv.exe 

e:\Program Files\Alwil Software\Avast4\ashMaiSv.exe 

E:\Program Files\Opera\Opera.exe 

D:\Documents and Settings\bartek\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe 


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll 

O2 - BHO: IE 4.x-5.x BHO in ObjectPascal - {49E0E0F0-5C30-11D4-945D-000000000000} - e:\PROGRA~1\MarBit\TOOLS\IEHelper.dll 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll 

O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe 

O4 - HKLM\..\Run: [AudioDeck] D:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 

O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe 

O4 - HKLM\..\Run: [DAEMON Tools] "e:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 

O4 - HKLM\..\Run: [avast!] e:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe 

O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe 

O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background 

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE 

O8 - Extra context menu item: Download with Internet TOOLS - e:\Program Files\MarBit\TOOLS\MBdownload.htm 

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) 

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) 

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab 

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - D:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing) 

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - e:\Program Files\Alwil Software\Avast4\aswUpdSv.exe 

O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe 

O23 - Service: avast! Antivirus - Unknown owner - e:\Program Files\Alwil Software\Avast4\ashServ.exe 

O23 - Service: avast! Mail Scanner - Unknown owner - e:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) 

O23 - Service: avast! Web Scanner - Unknown owner - e:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) 

O23 - Service: ewido security suite control - ewido networks - e:\Program Files\ewido anti-malware\ewidoctrl.exe 

O23 - Service: ewido security suite guard - Unknown owner - e:\Program Files\ewido anti-malware\ewidoguard.exe (file missing)

silent

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/ 

Operating System: Windows XP 

Output limited to non-default values, except where indicated by "{++}" 



Startup items buried in registry: 

--------------------------------- 


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} 

"CTFMON.EXE" = "D:\WINDOWS\System32\ctfmon.exe" [MS] 

"MSMSGS" = ""D:\Program Files\Messenger\msmsgs.exe" /background" [MS] 


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} 

"ATIPTA" = "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [file not found] 

"AudioDeck" = "D:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 " ["VIA Technologies, Inc."] 

"NeroFilterCheck" = "D:\WINDOWS\system32\NeroCheck.exe" [file not found] 

"DAEMON Tools" = ""e:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."] 

"avast!" = "e:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data] 


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ 

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) 

  -> {HKLM...CLSID} = "AcroIEHlprObj Class" 

                   \InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] 

{49E0E0F0-5C30-11D4-945D-000000000000}\(Default) = (no title provided) 

  -> {HKLM...CLSID} = "IE 4.x-5.x BHO in ObjectPascal" 

                   \InProcServer32\(Default) = "e:\PROGRA~1\MarBit\TOOLS\IEHelper.dll" ["MarBit"] 

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) 

  -> {HKLM...CLSID} = (no title provided) 

                   \InProcServer32\(Default) = "E:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] 


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ 

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" 

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" 

                   \InProcServer32\(Default) = "deskpan.dll" [file not found] 

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" 

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext" 

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] 

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension" 

  -> {HKLM...CLSID} = "SimpleShlExt Class" 

                   \InProcServer32\(Default) = "D:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string] 

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" 

  -> {HKLM...CLSID} = "WinRAR" 

                   \InProcServer32\(Default) = "e:\Program Files\WinRAR\rarext.dll" [null data] 

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" 

  -> {HKLM...CLSID} = (no title provided) 

                   \InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] 

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" 

  -> {HKLM...CLSID} = "avast" 

                   \InProcServer32\(Default) = "e:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] 


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ 

INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" 

  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" 

                   \InProcServer32\(Default) = "e:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: "] 


HKLM\System\CurrentControlSet\Control\Session Manager\ 

INFECTION WARNING! "BootExecute" = "autocheck autochk * aswBoot.exe /M:36a133c88" [file not found], [MS], [file not found], [null data], [file not found] 


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ 

INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] 


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ 

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" 

  -> {HKLM...CLSID} = "PDF Shell Extension" 

                   \InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] 


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ 

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" 

  -> {HKLM...CLSID} = "avast" 

                   \InProcServer32\(Default) = "e:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] 

ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" 

  -> {HKLM...CLSID} = "Ctest Object" 

                   \InProcServer32\(Default) = "e:\Program Files\ewido anti-malware\context.dll" ["ewido networks"] 

MyPhoneExplorer\(Default) = "{C63D6E57-FE9E-43D7-B7ED-900DEB695D3E}" 

  -> {HKLM...CLSID} = "MyPhoneExplorer_ShellEx.ShellExt" 

                   \InProcServer32\(Default) = "e:\Program Files\MyPhoneExplorer\DLL\ShellMgr.dll" ["F.J. Wechselberger"] 

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" 

  -> {HKLM...CLSID} = "WinRAR" 

                   \InProcServer32\(Default) = "e:\Program Files\WinRAR\rarext.dll" [null data] 


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 

ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" 

  -> {HKLM...CLSID} = "Ctest Object" 

                   \InProcServer32\(Default) = "e:\Program Files\ewido anti-malware\context.dll" ["ewido networks"] 

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" 

  -> {HKLM...CLSID} = "WinRAR" 

                   \InProcServer32\(Default) = "e:\Program Files\WinRAR\rarext.dll" [null data] 


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ 

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" 

  -> {HKLM...CLSID} = "avast" 

                   \InProcServer32\(Default) = "e:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] 

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" 

  -> {HKLM...CLSID} = "WinRAR" 

                   \InProcServer32\(Default) = "e:\Program Files\WinRAR\rarext.dll" [null data] 



Active Desktop and Wallpaper: 

----------------------------- 


Active Desktop is disabled at this entry: 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState 


HKCU\Control Panel\Desktop\ 

"Wallpaper" = "D:\Documents and Settings\bartek\Dane aplikacji\Opera\Opera\profile\Skin\chaosad.bmp" 



Startup items in "bartek" & "All Users" startup folders: 

-------------------------------------------------------- 


D:\Documents and Settings\All Users\Menu Start\Programy\Autostart 

"Microsoft Office" -> shortcut to: "D:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS] 



Winsock2 Service Provider DLLs: 

------------------------------- 


Namespace Service Providers 


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 


Transport Service Providers 


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: 

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 



Toolbars, Explorer Bars, Extensions: 

------------------------------------ 


Extensions (Tools menu items, main toolbar menu buttons) 


HKLM\Software\Microsoft\Internet Explorer\Extensions\ 

{85D1F590-48F4-11D9-9669-0800200C9A66}\ 

"MenuText" = "Uninstall BitDefender Online Scanner v8" 

"Exec" = "%windir%\bdoscandel.exe" [file not found] 



Running Services (Display Name, Service Name, Path {Service DLL}): 

------------------------------------------------------------------ 


avast! Antivirus, avast! Antivirus, ""e:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data] 

avast! iAVS4 Control Service, aswUpdSv, ""e:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data] 

avast! Mail Scanner, avast! Mail Scanner, ""e:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"] 

avast! Web Scanner, avast! Web Scanner, ""e:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"] 

ewido security suite control, ewido security suite control, "e:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"] 

Windows User Mode Driver Framework, UMWdf, "D:\WINDOWS\System32\wdfmgr.exe" [MS] 



---------- 

+ This report excludes default entries except where indicated. 

+ To see *everywhere* the script checks and *everything* it finds, 

  launch it from a command prompt or a shortcut with the -all parameter. 

+ To search all directories of local fixed drives for DESKTOP.INI 

  DLL launch points and all Registry CLSIDs for dormant Explorer Bars, 

  use the -supp parameter or answer "No" at the first message box. 

---------- (total run time: 150 seconds, including 57 seconds for message boxes)
#8

W logach jest czysto :slight_smile:

Zainstaluj SP2 :slight_smile:

Przeleć system --> Skanerami OnLine