nvX
(Matnow)
9 Kwiecień 2007 09:51
#1
Witam… Mam Następujące problemy:
Mozilla nie wczytuje stron (wogole ledwo chodzi)
2)Xfire i inne komunikatory też sie nieźle olewają
3)i wogóle Net Komp muli strasznie…
podejrzewam że to wir… Może Vundo… Lub ktos mi sie podkrad do kompa…’
Wysyłam Logi:
HJT:
Logfile of HijackThis v1.99.1 Scan saved at 11:44:42, on 2007-04-09 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Portrait Displays\ImageTune\dtsslsrv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Microsoft.NET \Framework\v2.0.50727\mscorsvw.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe C:\Program Files\Neostrada TP\taskbaricon.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe E:\MATEUSZ\Teamspeak2_RC2\TeamSpeakPL.exe E:\MATEUSZ\Walka z Syfem\wwdc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE E:\MATEUSZ\Antyszpieg\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll O4 - HKLM…\Run: [CnxDslTaskBar] “C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe” “ZTE Corporation\ZXDSL852” O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MailScanner] C:\Program Files\MKS_VIR_2006\Mks_mail.exe O4 - HKCU…\Run: [spybotSD TeaTimer] E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O15 - Trusted Zone: http://*.mks.com.pl O17 - HKLM\System\CCS\Services\Tcpip…{B30A7E11-B8FA-47AD-BA0E-277086C9E9C5}: NameServer = 194.204.159.1 217.98.63.164 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Portrait Displays\ImageTune\dtsslsrv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
SilentRunner:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MailScanner” = “C:\Program Files\MKS_VIR_2006\Mks_mail.exe” [file not found] “SpybotSD TeaTimer” = “E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\TeaTimer.exe” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CnxDslTaskBar” = "“C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe” “ZTE Corporation\ZXDSL852"” [“Conexant Systems, Inc.”] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\Program Files\Neostrada TP\taskbaricon.exe” [“France Télécom R&D”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “Sunkist2k” = “C:\Program Files\Multimedia Card Reader\shwicon2k.exe” [“Alcor Micro, Corp.”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {1E8A6170-7264-4D0F-BEAE-D42A53123C75}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll” [“Symantec Corporation”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\SDHelper.dll” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{654D0431-C930-43C4-B8DA-9AA01BA5B486}” = “PDI GUI Engine COM Obj” -> {HKLM…CLSID} = “PDI GUI Engine COM Obj” \InProcServer32(Default) = “C:\Program Files\Portrait Displays\ImageTune\HtmlEngine.dll” [“Portrait Displays, Inc”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ <> “{b292ec9f-a074-4115-8342-1f459702d8d2}” = “characterizing” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\fyxkaah.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\dom\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “dom” & “All Users” startup folders: ----------------------------------------------------- C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{90222687-F593-4738-B738-FBEE9C7B26DF}” = “NCO Toolbar” -> {HKLM…CLSID} = “Show Norton Toolbar” \InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll” [“Symantec Corporation”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ .NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, “C:\WINDOWS\Microsoft.NET \Framework\v2.0.50727\mscorsvw.exe” [MS] Asset Management Daemon, Asset Management Daemon, “C:\Program Files\Portrait Displays\ImageTune\dtsslsrv.exe” [null data] avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 59 seconds, including 18 seconds for message boxes)
ComboFix:
“dom” - 07-04-09 11:46:06 Dodatek Service Pack 2 ComboFix 07-04-05 - Running from: “E:\MATEUSZ\Walka z Syfem” ((((((((((((((((((((((((((((((( Files Created from 2007-03-09 to 2007-04-09 )))))))))))))))))))))))))))))))))) 2007-04-08 21:54 2007-04-08 21:54 2007-04-08 21:53 2007-04-08 21:53 2007-04-08 21:04 2007-04-06 09:40 2007-04-05 20:05 22,584 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-04-05 16:31 2007-04-05 10:21 99,904 --a------ C:\WINDOWS\system32\PnkBstrB.exe 2007-04-05 10:20 63,040 --a------ C:\WINDOWS\system32\PnkBstrA.exe 2007-04-05 08:55 1,843,840 --a------ C:\WINDOWS\system32\win32k.sys 2007-03-22 19:30 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2007-03-22 19:24 98,304 --a------ C:\WINDOWS\system32\MSMD8w.dll 2007-03-22 19:24 73,601 --a------ C:\WINDOWS\system32\MSMD4W.dll 2007-03-22 19:24 72,584 --a------ C:\WINDOWS\system32\MSMCFw.dll 2007-03-22 19:24 7,680 --a------ C:\WINDOWS\system32\drivers\Onsreged.sys 2007-03-22 19:24 67,522 --a------ C:\WINDOWS\system32\MSMD9W.dll 2007-03-22 19:24 62,947 --a------ C:\WINDOWS\system32\MSMC1W.dll 2007-03-22 19:24 62,462 --a------ C:\WINDOWS\system32\MSMCEw.dll 2007-03-22 19:24 60,928 --a------ C:\WINDOWS\system32\drivers\Smplscsi.sys 2007-03-22 19:24 41,733 --a------ C:\WINDOWS\system32\MSMB1W.dll 2007-03-22 19:24 38,215 --a------ C:\WINDOWS\system32\MSM8BW.dll 2007-03-22 19:24 35,906 --a------ C:\WINDOWS\system32\MSMC9W.dll 2007-03-22 19:24 35,906 --a------ C:\WINDOWS\system32\MSMA7W.dll 2007-03-22 19:24 35,563 --a------ C:\WINDOWS\system32\MSMWUD.dll 2007-03-22 19:24 35,246 --a------ C:\WINDOWS\system32\MSMBDW.dll 2007-03-22 19:24 34,720 --a------ C:\WINDOWS\system32\MSMB0W.dll 2007-03-22 19:24 30,565 --a------ C:\WINDOWS\system32\MSMWUD13.dll 2007-03-22 19:24 30,053 --a------ C:\WINDOWS\system32\MSMWUD11.dll 2007-03-22 19:24 30,030 --a------ C:\WINDOWS\system32\MSMWUD7.dll 2007-03-22 19:24 30,013 --a------ C:\WINDOWS\system32\MSMWUD9.dll 2007-03-22 19:24 285,216 --a------ C:\WINDOWS\system32\drivers\Onsio.sys 2007-03-22 19:24 208,896 --a------ C:\WINDOWS\system32\MSME5w.dll 2007-03-22 19:24 192,512 --a------ C:\WINDOWS\system32\MSME4W.dll 2007-03-22 19:24 15,389 --a------ C:\WINDOWS\system32\Msmusd5.dll 2007-03-22 19:24 13,962 --a------ C:\WINDOWS\system32\Msmusd6.dll 2007-03-22 19:24 12,499 --a------ C:\WINDOWS\system32\Msmusd7.dll 2007-03-21 19:19 2007-03-21 19:17 327,168 --a------ C:\WINDOWS\IsUn0415.exe 2007-03-21 19:17 2007-03-20 19:13 2,436 --a------ C:\WINDOWS\system32\tmp.reg 2007-03-20 19:08 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe 2007-03-20 19:08 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-03-20 19:08 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-03-20 19:08 40,960 --a------ C:\WINDOWS\system32\swsc.exe 2007-03-20 19:08 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-03-20 19:08 135,168 --a------ C:\WINDOWS\system32\swreg.exe 2007-03-20 19:00 1,168 --a------ C:\WINDOWS\mozver.dat 2007-03-20 18:57 2007-03-20 18:56 0 --a------ C:\WINDOWS\nsreg.dat 2007-03-20 15:20 2007-03-17 21:25 180,224 --a------ C:\WINDOWS\system32\NVUNINST.EXE 2007-03-17 21:25 180,224 --a------ C:\WINDOWS\system32\nvudisp.exe 2007-03-17 21:25 2007-03-17 20:31 2007-03-17 19:37 2007-03-11 19:37 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-09 11:23 -------- d-------- C:\Program Files\neostrada tp 2007-04-08 21:54 74230 --a------ C:\WINDOWS\system32\perfc015.dat 2007-04-08 21:54 448004 --a------ C:\WINDOWS\system32\perfh015.dat 2007-04-08 21:36 -------- d-------- C:\DOCUME~1\dom\DANEAP~1\teamspeak2 2007-03-20 08:37 7168 --a-s---- C:\WINDOWS\system32\fyxkaah.dll 2007-03-17 22:06 -------- d–h----- C:\Program Files\installshield installation information 2007-03-08 17:38 579072 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 17:38 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 17:38 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-02-02 21:31 3761242 --a------ C:\Program Files\ffdshow_rev756_20070109_clsid(dobreprogramy.pl).exe 2007-02-02 20:58 7272967 --a------ C:\Program Files\klcodec283s.exe 2007-02-02 20:46 1493863 --a------ C:\Program Files\allplayer(dobreprogramy.pl).exe 2007-01-30 21:22 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll 2007-01-23 08:50 21840 --a------ C:\WINDOWS\system32\sintfnt.dll 2007-01-23 08:50 17212 --a------ C:\WINDOWS\system32\sintf32.dll 2007-01-23 08:50 12067 --a------ C:\WINDOWS\system32\sintf16.dll 2007-01-15 19:32 689280 --a------ C:\WINDOWS\system32\aswboot.exe 2007-01-15 19:23 90112 --a------ C:\WINDOWS\system32\avastss.scr 2007-01-09 19:46 10752 --a------ C:\WINDOWS\system32\ff_vfw.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” “MailScanner”=“C:\Program Files\MKS_VIR_2006\Mks_mail.exe” “SpybotSD TeaTimer”=“E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\TeaTimer.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “CnxDslTaskBar”="“C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe” “ZTE Corporation\ZXDSL852"” “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” “WOOTASKBARICON”=“C:\Program Files\Neostrada TP\taskbaricon.exe” “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” “Sunkist2k”=“C:\Program Files\Multimedia Card Reader\shwicon2k.exe” “SoundMan”=“SOUNDMAN.EXE” “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” “ccApp”="“C:\Program Files\Common Files\Symantec Shared\ccApp.exe”" “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “NoChange”=“1” “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] “path”=“C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE " “item”=“Adobe Reader Speed Launch” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^ImageTune.lnk] “path”=“C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\ImageTune.lnk” “backup”=“C:\WINDOWS\pss\ImageTune.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\PORTRA~1\IMAGET~1\dthtml.exe -startup_folder” “item”=“ImageTune” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^Microtek Scanner Finder.lnk] “path”=“C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\Microtek Scanner Finder.lnk” “backup”=“C:\WINDOWS\pss\Microtek Scanner Finder.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Microtek\SCANWI~1\SCANNE~1.EXE " “item”=“Microtek Scanner Finder” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“BearShare” “hkey”=“HKLM” “command”=”“E:\MATEUSZ\Bearshare\BearShare.exe” /pause” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“daemon” “hkey”=“HKLM” “command”="“C:\Program Files\D-Tools\daemon.exe” -lang 1033" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Domowy Keylogger] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“domowykeylogger” “hkey”=“HKCU” “command”=“C:\WINDOWS\System32\domowykeylogger.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“dumprep 0 -k” “hkey”=“HKLM” “command”="%systemroot%\system32\dumprep 0 -k" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UERSD_0001_N91M2407] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“errorsafefreeinstall_pl[1]” “hkey”=“HKLM” “command”="“c:\documents and settings\dom\dane aplikacji\errorsafefreeinstall_pl[1].exe” -nag " “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“nwiz” “hkey”=“HKLM” “command”=“nwiz.exe /install” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“osCheck” “hkey”=“HKLM” “command”="“C:\Program Files\Norton Internet Security\osCheck.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stack12] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“mfee” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\mfee.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinInit] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”="~409921" “hkey”=“HKCU” “command”="“C:\WINDOWS\system32\~409921.exe " " “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “SymAppCore”=dword:00000002 “Symantec Core LC”=dword:00000003 “ISPwdSvc”=dword:00000003 “CLTNetCnService”=dword:00000002 “ccSetMgr”=dword:00000002 “ccEvtMgr”=dword:00000002 “PnkBstrB”=dword:00000003 “PnkBstrA”=dword:00000002 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] “{b292ec9f-a074-4115-8342-1f459702d8d2}”=“characterizing” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] “WPDShServiceObj”=”{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MkS_Scan HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MkS_Scan\Service [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\L] Shell\AutoRun\command L:\autorun.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\M] Shell\AutoRun\command M:\autorun.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\N] Shell\AutoRun\command N:\Autorun.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{06e9eede-7f6d-11db-a5f2-806d6172696f}] Shell\AutoRun\command K:\Autorun.exe *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-09 11:49:16 C:\ComboFix-quarantined-files.txt … 07-04-09 11:49 C:\ComboFix2.txt … 07-04-09 11:10
z góry dzieki
Gutek
(Gutek)
9 Kwiecień 2007 10:20
#2
Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ
Pozdrawiam Gutek2222
Na kompie masz pozostałości MKS_VIR_2006 i Nortona to -powoduje zamieszanie
Dodatkowo - syf:
Użyj SmitFraudFix wybierz opcji nr 2 , oczywiście w trybie awaryjnym i po tym nowe logi z HJT i Silenta
nvX
(Matnow)
9 Kwiecień 2007 10:39
#3
SmitFraudFix usunął tego syfa. Logi które chciałeś :
HJT:
Logfile of HijackThis v1.99.1 Scan saved at 12:37:39, on 2007-04-09 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Portrait Displays\ImageTune\dtsslsrv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Microsoft.NET \Framework\v2.0.50727\mscorsvw.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe C:\Program Files\Neostrada TP\taskbaricon.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe E:\MATEUSZ\Teamspeak2_RC2\TeamSpeakPL.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe E:\MATEUSZ\Antyszpieg\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll O4 - HKLM…\Run: [CnxDslTaskBar] “C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe” “ZTE Corporation\ZXDSL852” O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MailScanner] C:\Program Files\MKS_VIR_2006\Mks_mail.exe O4 - HKCU…\Run: [spybotSD TeaTimer] E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O15 - Trusted Zone: http://*.mks.com.pl O17 - HKLM\System\CCS\Services\Tcpip…{B30A7E11-B8FA-47AD-BA0E-277086C9E9C5}: NameServer = 194.204.159.1 217.98.63.164 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Portrait Displays\ImageTune\dtsslsrv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
SilentRunner:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MailScanner” = “C:\Program Files\MKS_VIR_2006\Mks_mail.exe” [file not found] “SpybotSD TeaTimer” = “E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\TeaTimer.exe” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CnxDslTaskBar” = "“C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe” “ZTE Corporation\ZXDSL852"” [“Conexant Systems, Inc.”] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\Program Files\Neostrada TP\taskbaricon.exe” [“France Télécom R&D”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “Sunkist2k” = “C:\Program Files\Multimedia Card Reader\shwicon2k.exe” [“Alcor Micro, Corp.”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {1E8A6170-7264-4D0F-BEAE-D42A53123C75}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll” [“Symantec Corporation”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\SDHelper.dll” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{654D0431-C930-43C4-B8DA-9AA01BA5B486}” = “PDI GUI Engine COM Obj” -> {HKLM…CLSID} = “PDI GUI Engine COM Obj” \InProcServer32(Default) = “C:\Program Files\Portrait Displays\ImageTune\HtmlEngine.dll” [“Portrait Displays, Inc”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ <> “{b292ec9f-a074-4115-8342-1f459702d8d2}” = “characterizing” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\fyxkaah.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\dom\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “dom” & “All Users” startup folders: ----------------------------------------------------- C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{90222687-F593-4738-B738-FBEE9C7B26DF}” = “NCO Toolbar” -> {HKLM…CLSID} = “Show Norton Toolbar” \InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll” [“Symantec Corporation”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ .NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, “C:\WINDOWS\Microsoft.NET \Framework\v2.0.50727\mscorsvw.exe” [MS] Asset Management Daemon, Asset Management Daemon, “C:\Program Files\Portrait Displays\ImageTune\dtsslsrv.exe” [null data] avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 37 seconds, including 3 seconds for message boxes)
Złączono Posta : 09.04.2007 (Pon) 12:41
SmitFraudFix usunął tego syfa. Logi które chciałeś :
HJT:
Logfile of HijackThis v1.99.1 Scan saved at 12:37:39, on 2007-04-09 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Portrait Displays\ImageTune\dtsslsrv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Microsoft.NET \Framework\v2.0.50727\mscorsvw.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe C:\Program Files\Neostrada TP\taskbaricon.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe E:\MATEUSZ\Teamspeak2_RC2\TeamSpeakPL.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe E:\MATEUSZ\Antyszpieg\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll O4 - HKLM…\Run: [CnxDslTaskBar] “C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe” “ZTE Corporation\ZXDSL852” O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MailScanner] C:\Program Files\MKS_VIR_2006\Mks_mail.exe O4 - HKCU…\Run: [spybotSD TeaTimer] E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O15 - Trusted Zone: http://*.mks.com.pl O17 - HKLM\System\CCS\Services\Tcpip…{B30A7E11-B8FA-47AD-BA0E-277086C9E9C5}: NameServer = 194.204.159.1 217.98.63.164 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Portrait Displays\ImageTune\dtsslsrv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
SilentRunner:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MailScanner” = “C:\Program Files\MKS_VIR_2006\Mks_mail.exe” [file not found] “SpybotSD TeaTimer” = “E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\TeaTimer.exe” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CnxDslTaskBar” = "“C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe” “ZTE Corporation\ZXDSL852"” [“Conexant Systems, Inc.”] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\Program Files\Neostrada TP\taskbaricon.exe” [“France Télécom R&D”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “Sunkist2k” = “C:\Program Files\Multimedia Card Reader\shwicon2k.exe” [“Alcor Micro, Corp.”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {1E8A6170-7264-4D0F-BEAE-D42A53123C75}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll” [“Symantec Corporation”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\SDHelper.dll” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{654D0431-C930-43C4-B8DA-9AA01BA5B486}” = “PDI GUI Engine COM Obj” -> {HKLM…CLSID} = “PDI GUI Engine COM Obj” \InProcServer32(Default) = “C:\Program Files\Portrait Displays\ImageTune\HtmlEngine.dll” [“Portrait Displays, Inc”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ <> “{b292ec9f-a074-4115-8342-1f459702d8d2}” = “characterizing” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\fyxkaah.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\dom\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “dom” & “All Users” startup folders: ----------------------------------------------------- C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{90222687-F593-4738-B738-FBEE9C7B26DF}” = “NCO Toolbar” -> {HKLM…CLSID} = “Show Norton Toolbar” \InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll” [“Symantec Corporation”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ .NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, “C:\WINDOWS\Microsoft.NET \Framework\v2.0.50727\mscorsvw.exe” [MS] Asset Management Daemon, Asset Management Daemon, “C:\Program Files\Portrait Displays\ImageTune\dtsslsrv.exe” [null data] avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 37 seconds, including 3 seconds for message boxes)
adam9870
(adam9870)
9 Kwiecień 2007 10:42
#4
Jesteś pewien, że użyłeś SmitFraudFix? Użyj go ponownie z opcji numer 2 w trybie awaryjnym ale tym razem na czas użycia wyłącz SpybotSD TeaTimer.
Po wykonaniu wklej nowe logi, w tym log z ComboFix plus zawartość pliku c:\rapport.txt
nvX
(Matnow)
9 Kwiecień 2007 11:15
#5
Jestem pewien, że użyłem SmitFraudFix, natomiast Tea Timer nie włączył mi sie tym razem w trybie awaryjnym. Logi:
HJT:
Logfile of HijackThis v1.99.1 Scan saved at 13:13:27, on 2007-04-09 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Portrait Displays\ImageTune\dtsslsrv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe C:\Program Files\Neostrada TP\taskbaricon.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\WINDOWS\system32\wuauclt.exe E:\MATEUSZ\Teamspeak2_RC2\TeamSpeakPL.exe C:\Program Files\Internet Explorer\iexplore.exe E:\MATEUSZ\Antyszpieg\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\MATEUSZ\ANTYSZ~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll O4 - HKLM…\Run: [CnxDslTaskBar] “C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe” “ZTE Corporation\ZXDSL852” O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MailScanner] C:\Program Files\MKS_VIR_2006\Mks_mail.exe O4 - HKCU…\Run: [spybotSD TeaTimer] E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O15 - Trusted Zone: http://*.mks.com.pl O17 - HKLM\System\CCS\Services\Tcpip…{B30A7E11-B8FA-47AD-BA0E-277086C9E9C5}: NameServer = 194.204.159.1 217.98.63.164 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Portrait Displays\ImageTune\dtsslsrv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
SilentRunner:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MailScanner” = “C:\Program Files\MKS_VIR_2006\Mks_mail.exe” [file not found] “SpybotSD TeaTimer” = “E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\TeaTimer.exe” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CnxDslTaskBar” = "“C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe” “ZTE Corporation\ZXDSL852"” [“Conexant Systems, Inc.”] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\Program Files\Neostrada TP\taskbaricon.exe” [“France Télécom R&D”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “Sunkist2k” = “C:\Program Files\Multimedia Card Reader\shwicon2k.exe” [“Alcor Micro, Corp.”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {1E8A6170-7264-4D0F-BEAE-D42A53123C75}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll” [“Symantec Corporation”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\MATEUSZ\ANTYSZ~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{654D0431-C930-43C4-B8DA-9AA01BA5B486}” = “PDI GUI Engine COM Obj” -> {HKLM…CLSID} = “PDI GUI Engine COM Obj” \InProcServer32(Default) = “C:\Program Files\Portrait Displays\ImageTune\HtmlEngine.dll” [“Portrait Displays, Inc”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ <> “{b292ec9f-a074-4115-8342-1f459702d8d2}” = “characterizing” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\fyxkaah.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “dom” & “All Users” startup folders: ----------------------------------------------------- C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{90222687-F593-4738-B738-FBEE9C7B26DF}” = “NCO Toolbar” -> {HKLM…CLSID} = “Show Norton Toolbar” \InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll” [“Symantec Corporation”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Asset Management Daemon, Asset Management Daemon, “C:\Program Files\Portrait Displays\ImageTune\dtsslsrv.exe” [null data] avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 35 seconds, including 2 seconds for message boxes)
c:/rapport:
SmitFraudFix v2.150 Scan done at 12:55:00,26, 2007-04-09 Run from E:\MATEUSZ\Antyszpieg\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] “{b292ec9f-a074-4115-8342-1f459702d8d2}”=“characterizing” [HKEY_CLASSES_ROOT\CLSID{b292ec9f-a074-4115-8342-1f459702d8d2}\InProcServer32] @=“C:\WINDOWS\system32\fyxkaah.dll” [HKEY_LOCAL_MACHINE\Software\Classes\CLSID{b292ec9f-a074-4115-8342-1f459702d8d2}\InProcServer32] @=“C:\WINDOWS\system32\fyxkaah.dll” »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] “{b292ec9f-a074-4115-8342-1f459702d8d2}”=“characterizing” [HKEY_CLASSES_ROOT\CLSID{b292ec9f-a074-4115-8342-1f459702d8d2}\InProcServer32] @=“C:\WINDOWS\system32\fyxkaah.dll” [HKEY_LOCAL_MACHINE\Software\Classes\CLSID{b292ec9f-a074-4115-8342-1f459702d8d2}\InProcServer32] @=“C:\WINDOWS\system32\fyxkaah.dll” »»»»»»»»»»»»»»»»»»»»»»»» End
adam9870
(adam9870)
9 Kwiecień 2007 11:25
#6
Logi są ok ale wklej nowy log z ComboFix’a.
nvX
(Matnow)
9 Kwiecień 2007 11:29
#7
ComboFix:
“dom” - 07-04-09 13:27:05 Dodatek Service Pack 2 ComboFix 07-04-05 - Running from: “E:\MATEUSZ\Walka z Syfem” ((((((((((((((((((((((((((((((( Files Created from 2007-03-09 to 2007-04-09 )))))))))))))))))))))))))))))))))) 2007-04-09 12:54 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe 2007-04-09 12:54 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-04-09 12:54 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-04-09 12:54 40,960 --a------ C:\WINDOWS\system32\swsc.exe 2007-04-09 12:54 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-04-09 12:54 135,168 --a------ C:\WINDOWS\system32\swreg.exe 2007-04-08 21:54 2007-04-08 21:54 2007-04-08 21:53 2007-04-08 21:53 2007-04-08 21:04 2007-04-06 09:40 2007-04-05 20:05 22,584 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-04-05 16:31 2007-04-05 10:21 99,904 --a------ C:\WINDOWS\system32\PnkBstrB.exe 2007-04-05 10:20 63,040 --a------ C:\WINDOWS\system32\PnkBstrA.exe 2007-04-05 08:55 1,843,840 --a------ C:\WINDOWS\system32\win32k.sys 2007-03-22 19:30 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2007-03-22 19:24 98,304 --a------ C:\WINDOWS\system32\MSMD8w.dll 2007-03-22 19:24 73,601 --a------ C:\WINDOWS\system32\MSMD4W.dll 2007-03-22 19:24 72,584 --a------ C:\WINDOWS\system32\MSMCFw.dll 2007-03-22 19:24 7,680 --a------ C:\WINDOWS\system32\drivers\Onsreged.sys 2007-03-22 19:24 67,522 --a------ C:\WINDOWS\system32\MSMD9W.dll 2007-03-22 19:24 62,947 --a------ C:\WINDOWS\system32\MSMC1W.dll 2007-03-22 19:24 62,462 --a------ C:\WINDOWS\system32\MSMCEw.dll 2007-03-22 19:24 60,928 --a------ C:\WINDOWS\system32\drivers\Smplscsi.sys 2007-03-22 19:24 41,733 --a------ C:\WINDOWS\system32\MSMB1W.dll 2007-03-22 19:24 38,215 --a------ C:\WINDOWS\system32\MSM8BW.dll 2007-03-22 19:24 35,906 --a------ C:\WINDOWS\system32\MSMC9W.dll 2007-03-22 19:24 35,906 --a------ C:\WINDOWS\system32\MSMA7W.dll 2007-03-22 19:24 35,563 --a------ C:\WINDOWS\system32\MSMWUD.dll 2007-03-22 19:24 35,246 --a------ C:\WINDOWS\system32\MSMBDW.dll 2007-03-22 19:24 34,720 --a------ C:\WINDOWS\system32\MSMB0W.dll 2007-03-22 19:24 30,565 --a------ C:\WINDOWS\system32\MSMWUD13.dll 2007-03-22 19:24 30,053 --a------ C:\WINDOWS\system32\MSMWUD11.dll 2007-03-22 19:24 30,030 --a------ C:\WINDOWS\system32\MSMWUD7.dll 2007-03-22 19:24 30,013 --a------ C:\WINDOWS\system32\MSMWUD9.dll 2007-03-22 19:24 285,216 --a------ C:\WINDOWS\system32\drivers\Onsio.sys 2007-03-22 19:24 208,896 --a------ C:\WINDOWS\system32\MSME5w.dll 2007-03-22 19:24 192,512 --a------ C:\WINDOWS\system32\MSME4W.dll 2007-03-22 19:24 15,389 --a------ C:\WINDOWS\system32\Msmusd5.dll 2007-03-22 19:24 13,962 --a------ C:\WINDOWS\system32\Msmusd6.dll 2007-03-22 19:24 12,499 --a------ C:\WINDOWS\system32\Msmusd7.dll 2007-03-21 19:19 2007-03-21 19:17 327,168 --a------ C:\WINDOWS\IsUn0415.exe 2007-03-21 19:17 2007-03-20 19:13 2,436 --a------ C:\WINDOWS\system32\tmp.reg 2007-03-20 19:00 1,168 --a------ C:\WINDOWS\mozver.dat 2007-03-20 18:57 2007-03-20 18:56 0 --a------ C:\WINDOWS\nsreg.dat 2007-03-20 15:20 2007-03-17 21:25 180,224 --a------ C:\WINDOWS\system32\NVUNINST.EXE 2007-03-17 21:25 180,224 --a------ C:\WINDOWS\system32\nvudisp.exe 2007-03-17 21:25 2007-03-17 20:31 2007-03-17 19:37 2007-03-11 19:37 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-09 13:08 -------- d-------- C:\Program Files\neostrada tp 2007-04-08 21:54 74230 --a------ C:\WINDOWS\system32\perfc015.dat 2007-04-08 21:54 448004 --a------ C:\WINDOWS\system32\perfh015.dat 2007-04-08 21:36 -------- d-------- C:\DOCUME~1\dom\DANEAP~1\teamspeak2 2007-03-20 08:37 7168 --a-s---- C:\WINDOWS\system32\fyxkaah.dll 2007-03-17 22:06 -------- d–h----- C:\Program Files\installshield installation information 2007-03-08 17:38 579072 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 17:38 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 17:38 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-02-02 21:31 3761242 --a------ C:\Program Files\ffdshow_rev756_20070109_clsid(dobreprogramy.pl).exe 2007-02-02 20:58 7272967 --a------ C:\Program Files\klcodec283s.exe 2007-02-02 20:46 1493863 --a------ C:\Program Files\allplayer(dobreprogramy.pl).exe 2007-01-30 21:22 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll 2007-01-23 08:50 21840 --a------ C:\WINDOWS\system32\sintfnt.dll 2007-01-23 08:50 17212 --a------ C:\WINDOWS\system32\sintf32.dll 2007-01-23 08:50 12067 --a------ C:\WINDOWS\system32\sintf16.dll 2007-01-15 19:32 689280 --a------ C:\WINDOWS\system32\aswboot.exe 2007-01-15 19:23 90112 --a------ C:\WINDOWS\system32\avastss.scr 2007-01-09 19:46 10752 --a------ C:\WINDOWS\system32\ff_vfw.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” “MailScanner”=“C:\Program Files\MKS_VIR_2006\Mks_mail.exe” “SpybotSD TeaTimer”=“E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\TeaTimer.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “CnxDslTaskBar”="“C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe” “ZTE Corporation\ZXDSL852"” “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” “WOOTASKBARICON”=“C:\Program Files\Neostrada TP\taskbaricon.exe” “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” “Sunkist2k”=“C:\Program Files\Multimedia Card Reader\shwicon2k.exe” “SoundMan”=“SOUNDMAN.EXE” “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” “ccApp”="“C:\Program Files\Common Files\Symantec Shared\ccApp.exe”" “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “NoChange”=“1” “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] “path”=“C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE " “item”=“Adobe Reader Speed Launch” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^ImageTune.lnk] “path”=“C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\ImageTune.lnk” “backup”=“C:\WINDOWS\pss\ImageTune.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\PORTRA~1\IMAGET~1\dthtml.exe -startup_folder” “item”=“ImageTune” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^Microtek Scanner Finder.lnk] “path”=“C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\Microtek Scanner Finder.lnk” “backup”=“C:\WINDOWS\pss\Microtek Scanner Finder.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Microtek\SCANWI~1\SCANNE~1.EXE " “item”=“Microtek Scanner Finder” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“BearShare” “hkey”=“HKLM” “command”=”“E:\MATEUSZ\Bearshare\BearShare.exe” /pause” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“daemon” “hkey”=“HKLM” “command”="“C:\Program Files\D-Tools\daemon.exe” -lang 1033" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Domowy Keylogger] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“domowykeylogger” “hkey”=“HKCU” “command”=“C:\WINDOWS\System32\domowykeylogger.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“dumprep 0 -k” “hkey”=“HKLM” “command”="%systemroot%\system32\dumprep 0 -k" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UERSD_0001_N91M2407] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“errorsafefreeinstall_pl[1]” “hkey”=“HKLM” “command”="“c:\documents and settings\dom\dane aplikacji\errorsafefreeinstall_pl[1].exe” -nag " “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“nwiz” “hkey”=“HKLM” “command”=“nwiz.exe /install” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“osCheck” “hkey”=“HKLM” “command”="“C:\Program Files\Norton Internet Security\osCheck.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stack12] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“mfee” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\mfee.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinInit] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”="~409921" “hkey”=“HKCU” “command”="“C:\WINDOWS\system32\~409921.exe " " “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “SymAppCore”=dword:00000002 “Symantec Core LC”=dword:00000003 “ISPwdSvc”=dword:00000003 “CLTNetCnService”=dword:00000002 “ccSetMgr”=dword:00000002 “ccEvtMgr”=dword:00000002 “PnkBstrB”=dword:00000003 “PnkBstrA”=dword:00000002 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] “{b292ec9f-a074-4115-8342-1f459702d8d2}”=“characterizing” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] “WPDShServiceObj”=”{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MkS_Scan HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MkS_Scan\Service [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\K] Shell\AutoRun\command K:\Autorun.exe *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-09 13:30:10 C:\ComboFix-quarantined-files.txt … 07-04-09 13:30 C:\ComboFix2.txt … 07-04-09 11:49 C:\ComboFix3.txt … 07-04-09 11:10
Złączono Posta : 09.04.2007 (Pon) 13:30
ComboFix:
“dom” - 07-04-09 13:27:05 Dodatek Service Pack 2 ComboFix 07-04-05 - Running from: “E:\MATEUSZ\Walka z Syfem” ((((((((((((((((((((((((((((((( Files Created from 2007-03-09 to 2007-04-09 )))))))))))))))))))))))))))))))))) 2007-04-09 12:54 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe 2007-04-09 12:54 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-04-09 12:54 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-04-09 12:54 40,960 --a------ C:\WINDOWS\system32\swsc.exe 2007-04-09 12:54 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-04-09 12:54 135,168 --a------ C:\WINDOWS\system32\swreg.exe 2007-04-08 21:54 2007-04-08 21:54 2007-04-08 21:53 2007-04-08 21:53 2007-04-08 21:04 2007-04-06 09:40 2007-04-05 20:05 22,584 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-04-05 16:31 2007-04-05 10:21 99,904 --a------ C:\WINDOWS\system32\PnkBstrB.exe 2007-04-05 10:20 63,040 --a------ C:\WINDOWS\system32\PnkBstrA.exe 2007-04-05 08:55 1,843,840 --a------ C:\WINDOWS\system32\win32k.sys 2007-03-22 19:30 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2007-03-22 19:24 98,304 --a------ C:\WINDOWS\system32\MSMD8w.dll 2007-03-22 19:24 73,601 --a------ C:\WINDOWS\system32\MSMD4W.dll 2007-03-22 19:24 72,584 --a------ C:\WINDOWS\system32\MSMCFw.dll 2007-03-22 19:24 7,680 --a------ C:\WINDOWS\system32\drivers\Onsreged.sys 2007-03-22 19:24 67,522 --a------ C:\WINDOWS\system32\MSMD9W.dll 2007-03-22 19:24 62,947 --a------ C:\WINDOWS\system32\MSMC1W.dll 2007-03-22 19:24 62,462 --a------ C:\WINDOWS\system32\MSMCEw.dll 2007-03-22 19:24 60,928 --a------ C:\WINDOWS\system32\drivers\Smplscsi.sys 2007-03-22 19:24 41,733 --a------ C:\WINDOWS\system32\MSMB1W.dll 2007-03-22 19:24 38,215 --a------ C:\WINDOWS\system32\MSM8BW.dll 2007-03-22 19:24 35,906 --a------ C:\WINDOWS\system32\MSMC9W.dll 2007-03-22 19:24 35,906 --a------ C:\WINDOWS\system32\MSMA7W.dll 2007-03-22 19:24 35,563 --a------ C:\WINDOWS\system32\MSMWUD.dll 2007-03-22 19:24 35,246 --a------ C:\WINDOWS\system32\MSMBDW.dll 2007-03-22 19:24 34,720 --a------ C:\WINDOWS\system32\MSMB0W.dll 2007-03-22 19:24 30,565 --a------ C:\WINDOWS\system32\MSMWUD13.dll 2007-03-22 19:24 30,053 --a------ C:\WINDOWS\system32\MSMWUD11.dll 2007-03-22 19:24 30,030 --a------ C:\WINDOWS\system32\MSMWUD7.dll 2007-03-22 19:24 30,013 --a------ C:\WINDOWS\system32\MSMWUD9.dll 2007-03-22 19:24 285,216 --a------ C:\WINDOWS\system32\drivers\Onsio.sys 2007-03-22 19:24 208,896 --a------ C:\WINDOWS\system32\MSME5w.dll 2007-03-22 19:24 192,512 --a------ C:\WINDOWS\system32\MSME4W.dll 2007-03-22 19:24 15,389 --a------ C:\WINDOWS\system32\Msmusd5.dll 2007-03-22 19:24 13,962 --a------ C:\WINDOWS\system32\Msmusd6.dll 2007-03-22 19:24 12,499 --a------ C:\WINDOWS\system32\Msmusd7.dll 2007-03-21 19:19 2007-03-21 19:17 327,168 --a------ C:\WINDOWS\IsUn0415.exe 2007-03-21 19:17 2007-03-20 19:13 2,436 --a------ C:\WINDOWS\system32\tmp.reg 2007-03-20 19:00 1,168 --a------ C:\WINDOWS\mozver.dat 2007-03-20 18:57 2007-03-20 18:56 0 --a------ C:\WINDOWS\nsreg.dat 2007-03-20 15:20 2007-03-17 21:25 180,224 --a------ C:\WINDOWS\system32\NVUNINST.EXE 2007-03-17 21:25 180,224 --a------ C:\WINDOWS\system32\nvudisp.exe 2007-03-17 21:25 2007-03-17 20:31 2007-03-17 19:37 2007-03-11 19:37 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-09 13:08 -------- d-------- C:\Program Files\neostrada tp 2007-04-08 21:54 74230 --a------ C:\WINDOWS\system32\perfc015.dat 2007-04-08 21:54 448004 --a------ C:\WINDOWS\system32\perfh015.dat 2007-04-08 21:36 -------- d-------- C:\DOCUME~1\dom\DANEAP~1\teamspeak2 2007-03-20 08:37 7168 --a-s---- C:\WINDOWS\system32\fyxkaah.dll 2007-03-17 22:06 -------- d–h----- C:\Program Files\installshield installation information 2007-03-08 17:38 579072 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 17:38 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 17:38 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-02-02 21:31 3761242 --a------ C:\Program Files\ffdshow_rev756_20070109_clsid(dobreprogramy.pl).exe 2007-02-02 20:58 7272967 --a------ C:\Program Files\klcodec283s.exe 2007-02-02 20:46 1493863 --a------ C:\Program Files\allplayer(dobreprogramy.pl).exe 2007-01-30 21:22 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll 2007-01-23 08:50 21840 --a------ C:\WINDOWS\system32\sintfnt.dll 2007-01-23 08:50 17212 --a------ C:\WINDOWS\system32\sintf32.dll 2007-01-23 08:50 12067 --a------ C:\WINDOWS\system32\sintf16.dll 2007-01-15 19:32 689280 --a------ C:\WINDOWS\system32\aswboot.exe 2007-01-15 19:23 90112 --a------ C:\WINDOWS\system32\avastss.scr 2007-01-09 19:46 10752 --a------ C:\WINDOWS\system32\ff_vfw.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” “MailScanner”=“C:\Program Files\MKS_VIR_2006\Mks_mail.exe” “SpybotSD TeaTimer”=“E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\TeaTimer.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “CnxDslTaskBar”="“C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe” “ZTE Corporation\ZXDSL852"” “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” “WOOTASKBARICON”=“C:\Program Files\Neostrada TP\taskbaricon.exe” “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” “Sunkist2k”=“C:\Program Files\Multimedia Card Reader\shwicon2k.exe” “SoundMan”=“SOUNDMAN.EXE” “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” “ccApp”="“C:\Program Files\Common Files\Symantec Shared\ccApp.exe”" “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “NoChange”=“1” “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] “path”=“C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE " “item”=“Adobe Reader Speed Launch” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^ImageTune.lnk] “path”=“C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\ImageTune.lnk” “backup”=“C:\WINDOWS\pss\ImageTune.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\PORTRA~1\IMAGET~1\dthtml.exe -startup_folder” “item”=“ImageTune” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^Microtek Scanner Finder.lnk] “path”=“C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\Microtek Scanner Finder.lnk” “backup”=“C:\WINDOWS\pss\Microtek Scanner Finder.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Microtek\SCANWI~1\SCANNE~1.EXE " “item”=“Microtek Scanner Finder” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“BearShare” “hkey”=“HKLM” “command”=”“E:\MATEUSZ\Bearshare\BearShare.exe” /pause” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“daemon” “hkey”=“HKLM” “command”="“C:\Program Files\D-Tools\daemon.exe” -lang 1033" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Domowy Keylogger] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“domowykeylogger” “hkey”=“HKCU” “command”=“C:\WINDOWS\System32\domowykeylogger.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“dumprep 0 -k” “hkey”=“HKLM” “command”="%systemroot%\system32\dumprep 0 -k" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UERSD_0001_N91M2407] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“errorsafefreeinstall_pl[1]” “hkey”=“HKLM” “command”="“c:\documents and settings\dom\dane aplikacji\errorsafefreeinstall_pl[1].exe” -nag " “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“nwiz” “hkey”=“HKLM” “command”=“nwiz.exe /install” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“osCheck” “hkey”=“HKLM” “command”="“C:\Program Files\Norton Internet Security\osCheck.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stack12] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“mfee” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\mfee.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinInit] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”="~409921" “hkey”=“HKCU” “command”="“C:\WINDOWS\system32\~409921.exe " " “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “SymAppCore”=dword:00000002 “Symantec Core LC”=dword:00000003 “ISPwdSvc”=dword:00000003 “CLTNetCnService”=dword:00000002 “ccSetMgr”=dword:00000002 “ccEvtMgr”=dword:00000002 “PnkBstrB”=dword:00000003 “PnkBstrA”=dword:00000002 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] “{b292ec9f-a074-4115-8342-1f459702d8d2}”=“characterizing” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] “WPDShServiceObj”=”{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MkS_Scan HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MkS_Scan\Service [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\K] Shell\AutoRun\command K:\Autorun.exe *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-09 13:30:10 C:\ComboFix-quarantined-files.txt … 07-04-09 13:30 C:\ComboFix2.txt … 07-04-09 11:49 C:\ComboFix3.txt … 07-04-09 11:10
adam9870
(adam9870)
9 Kwiecień 2007 11:58
#8
Wyłącz SpybotSD TeaTimer
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG
Uruchom system w trybie awaryjnym
Zastosuj SmitFraudFix z opcji numer 2
Sprawdź czy masz na dysku pliki:
a jeśli tak to usuń je ręcznie
Kliknij dwa razy na pik FIX.REG i potwierdź dodanie do rejestru
Uruchom ponownie komputer i włącz SpybotSD TeaTimer
Pokaż nowy log z ComboFix.
Sam to instalowałeś? Jeśli nie to usuń ręczne plik C:\WINDOWS\System32\domowykeylogger.exe a następnie start => uruchom => regedit => przejdź do klucza:
i usuń Domowy Keylogger
nvX
(Matnow)
9 Kwiecień 2007 19:01
#9
Postąpiłem wg instrukcji, a co do tego Domowego keyloggera to nie mam pojęcia skąd sie wziął… Log ComboFix:
“dom” - 07-04-09 20:55:54 Dodatek Service Pack 2 ComboFix 07-04-05 - Running from: “E:\MATEUSZ\Walka z Syfem” ((((((((((((((((((((((((((((((( Files Created from 2007-03-09 to 2007-04-09 )))))))))))))))))))))))))))))))))) 2007-04-09 12:54 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe 2007-04-09 12:54 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-04-09 12:54 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-04-09 12:54 40,960 --a------ C:\WINDOWS\system32\swsc.exe 2007-04-09 12:54 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-04-09 12:54 135,168 --a------ C:\WINDOWS\system32\swreg.exe 2007-04-08 21:54 2007-04-08 21:54 2007-04-08 21:53 2007-04-08 21:53 2007-04-08 21:04 2007-04-06 09:40 2007-04-05 20:05 22,584 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-04-05 16:31 2007-04-05 10:21 99,904 --a------ C:\WINDOWS\system32\PnkBstrB.exe 2007-04-05 10:20 63,040 --a------ C:\WINDOWS\system32\PnkBstrA.exe 2007-04-05 08:55 1,843,840 --a------ C:\WINDOWS\system32\win32k.sys 2007-03-22 19:30 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2007-03-22 19:24 98,304 --a------ C:\WINDOWS\system32\MSMD8w.dll 2007-03-22 19:24 73,601 --a------ C:\WINDOWS\system32\MSMD4W.dll 2007-03-22 19:24 72,584 --a------ C:\WINDOWS\system32\MSMCFw.dll 2007-03-22 19:24 7,680 --a------ C:\WINDOWS\system32\drivers\Onsreged.sys 2007-03-22 19:24 67,522 --a------ C:\WINDOWS\system32\MSMD9W.dll 2007-03-22 19:24 62,947 --a------ C:\WINDOWS\system32\MSMC1W.dll 2007-03-22 19:24 62,462 --a------ C:\WINDOWS\system32\MSMCEw.dll 2007-03-22 19:24 60,928 --a------ C:\WINDOWS\system32\drivers\Smplscsi.sys 2007-03-22 19:24 41,733 --a------ C:\WINDOWS\system32\MSMB1W.dll 2007-03-22 19:24 38,215 --a------ C:\WINDOWS\system32\MSM8BW.dll 2007-03-22 19:24 35,906 --a------ C:\WINDOWS\system32\MSMC9W.dll 2007-03-22 19:24 35,906 --a------ C:\WINDOWS\system32\MSMA7W.dll 2007-03-22 19:24 35,563 --a------ C:\WINDOWS\system32\MSMWUD.dll 2007-03-22 19:24 35,246 --a------ C:\WINDOWS\system32\MSMBDW.dll 2007-03-22 19:24 34,720 --a------ C:\WINDOWS\system32\MSMB0W.dll 2007-03-22 19:24 30,565 --a------ C:\WINDOWS\system32\MSMWUD13.dll 2007-03-22 19:24 30,053 --a------ C:\WINDOWS\system32\MSMWUD11.dll 2007-03-22 19:24 30,030 --a------ C:\WINDOWS\system32\MSMWUD7.dll 2007-03-22 19:24 30,013 --a------ C:\WINDOWS\system32\MSMWUD9.dll 2007-03-22 19:24 285,216 --a------ C:\WINDOWS\system32\drivers\Onsio.sys 2007-03-22 19:24 208,896 --a------ C:\WINDOWS\system32\MSME5w.dll 2007-03-22 19:24 192,512 --a------ C:\WINDOWS\system32\MSME4W.dll 2007-03-22 19:24 15,389 --a------ C:\WINDOWS\system32\Msmusd5.dll 2007-03-22 19:24 13,962 --a------ C:\WINDOWS\system32\Msmusd6.dll 2007-03-22 19:24 12,499 --a------ C:\WINDOWS\system32\Msmusd7.dll 2007-03-21 19:19 2007-03-21 19:17 327,168 --a------ C:\WINDOWS\IsUn0415.exe 2007-03-21 19:17 2007-03-20 19:13 2,586 --a------ C:\WINDOWS\system32\tmp.reg 2007-03-20 19:00 1,168 --a------ C:\WINDOWS\mozver.dat 2007-03-20 18:57 2007-03-20 18:56 0 --a------ C:\WINDOWS\nsreg.dat 2007-03-20 15:20 2007-03-17 21:25 180,224 --a------ C:\WINDOWS\system32\NVUNINST.EXE 2007-03-17 21:25 180,224 --a------ C:\WINDOWS\system32\nvudisp.exe 2007-03-17 21:25 2007-03-17 20:31 2007-03-17 19:37 2007-03-11 19:37 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-09 20:56 -------- d-------- C:\Program Files\neostrada tp 2007-04-08 21:54 74230 --a------ C:\WINDOWS\system32\perfc015.dat 2007-04-08 21:54 448004 --a------ C:\WINDOWS\system32\perfh015.dat 2007-04-08 21:36 -------- d-------- C:\DOCUME~1\dom\DANEAP~1\teamspeak2 2007-03-17 22:06 -------- d–h----- C:\Program Files\installshield installation information 2007-03-08 17:38 579072 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 17:38 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 17:38 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-02-02 21:31 3761242 --a------ C:\Program Files\ffdshow_rev756_20070109_clsid(dobreprogramy.pl).exe 2007-02-02 20:58 7272967 --a------ C:\Program Files\klcodec283s.exe 2007-02-02 20:46 1493863 --a------ C:\Program Files\allplayer(dobreprogramy.pl).exe 2007-01-30 21:22 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll 2007-01-23 08:50 21840 --a------ C:\WINDOWS\system32\sintfnt.dll 2007-01-23 08:50 17212 --a------ C:\WINDOWS\system32\sintf32.dll 2007-01-23 08:50 12067 --a------ C:\WINDOWS\system32\sintf16.dll 2007-01-15 19:32 689280 --a------ C:\WINDOWS\system32\aswboot.exe 2007-01-15 19:23 90112 --a------ C:\WINDOWS\system32\avastss.scr 2007-01-09 19:46 10752 --a------ C:\WINDOWS\system32\ff_vfw.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” “MailScanner”=“C:\Program Files\MKS_VIR_2006\Mks_mail.exe” “SpybotSD TeaTimer”=“E:\MATEUSZ\Antyszpieg\Spybot - Search & Destroy\TeaTimer.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “CnxDslTaskBar”="“C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe” “ZTE Corporation\ZXDSL852"” “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” “WOOTASKBARICON”=“C:\Program Files\Neostrada TP\taskbaricon.exe” “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” “Sunkist2k”=“C:\Program Files\Multimedia Card Reader\shwicon2k.exe” “SoundMan”=“SOUNDMAN.EXE” “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” “ccApp”="“C:\Program Files\Common Files\Symantec Shared\ccApp.exe”" “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” “MSConfig”=“C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “NoChange”=“1” “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] “path”=“C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE " “item”=“Adobe Reader Speed Launch” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^ImageTune.lnk] “path”=“C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\ImageTune.lnk” “backup”=“C:\WINDOWS\pss\ImageTune.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\PORTRA~1\IMAGET~1\dthtml.exe -startup_folder” “item”=“ImageTune” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^Microtek Scanner Finder.lnk] “path”=“C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\Microtek Scanner Finder.lnk” “backup”=“C:\WINDOWS\pss\Microtek Scanner Finder.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Microtek\SCANWI~1\SCANNE~1.EXE " “item”=“Microtek Scanner Finder” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“BearShare” “hkey”=“HKLM” “command”=”“E:\MATEUSZ\Bearshare\BearShare.exe” /pause” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“daemon” “hkey”=“HKLM” “command”="“C:\Program Files\D-Tools\daemon.exe” -lang 1033" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“dumprep 0 -k” “hkey”=“HKLM” “command”="%systemroot%\system32\dumprep 0 -k" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“nwiz” “hkey”=“HKLM” “command”=“nwiz.exe /install” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“osCheck” “hkey”=“HKLM” “command”="“C:\Program Files\Norton Internet Security\osCheck.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “SymAppCore”=dword:00000002 “Symantec Core LC”=dword:00000003 “ISPwdSvc”=dword:00000003 “CLTNetCnService”=dword:00000002 “ccSetMgr”=dword:00000002 “ccEvtMgr”=dword:00000002 “PnkBstrB”=dword:00000003 “PnkBstrA”=dword:00000002 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] “WPDShServiceObj”="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MkS_Scan HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MkS_Scan\Service [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J] Shell\AutoRun\command J:\Setup\rsrc\autorun.exe Shell\dinstall\command J:\Directx\dxsetup.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\K] Shell\AutoRun\command K:\Autorun.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{06e9eede-7f6d-11db-a5f2-806d6172696f}] Shell\AutoRun\command K:\Autorun.exe *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-09 20:59:41 C:\ComboFix-quarantined-files.txt … 07-04-09 20:59 C:\ComboFix2.txt … 07-04-09 13:30 C:\ComboFix3.txt … 07-04-09 11:49
adam9870
(adam9870)
9 Kwiecień 2007 19:07
#10
Już jest Ok.
Zwykła wersja programu BearShare posiada w sobie syf dlatego proponuję go usunąć. A jeśli koniecznie chcesz z niego korzystać to zainstaluj wersję Lite, która jest pozbawiona syfu.
nvX
(Matnow)
9 Kwiecień 2007 19:22
#11
Ok usunąłem tego BearShare’a ale prolem nadal występuje :? Zastanawia mnie ten wpis w rejestrze:
Do czego on jest?
adam9870
(adam9870)
9 Kwiecień 2007 19:46
#12
Krótko mówiąc - KernelFaultCheck powstaje w wyniku powstania zrzutu pamięci. Pojawia się wtedy komunikat w stylu “zrzucanie pamięci …” i tworzy się plik minidump. O odczytywaniu plików minidump możesz dowiedzieć się tutaj:
http://www.strefabezpieczenstwa.pl/topics1/183.htm
nvX
(Matnow)
9 Kwiecień 2007 19:50
#13
Aha spoko… A co z tym problemem?
Złączono Posta : 11.04.2007 (Sro) 14:57
Czyli pozostaje tylko format?
no żal topic off czy jaki c***?