ROOTKIT, Gmer odnalazł modyfikacje systemu

Lupus36 · 24 Wrzesień 2006 21:37

Oto nowy Silent: “Silent Runners.vbs”, revision 48, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“swg” = “C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe” [“Google Inc.”]

“MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS]

“Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z o.o.”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“VTTrayp” = “VTtrayp.exe” [“S3 Graphics Co., Ltd.”]

“VTTimer” = “VTTimer.exe” [“S3 Graphics, Inc.”]

“Symantec NetDriver Monitor” = “C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer” [“Symantec Corporation”]

“SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”]

“SMSERIAL” = “sm56hlpr.exe” [“Motorola Inc.”]

“OdTray.exe” = ““C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe”” [“Funk Software, Inc.”]

“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]

“CloneCDTray” = ““C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe”” [“Elaborate Bytes”]

“CloneCDElbyCDFL” = ““C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe” /L ElbyCDFL” [“Elaborate Bytes”]

“ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”]

HKLM\Software\Microsoft\Active Setup\Installed Components\

>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}(Default) = “Outlook Express”

\StubPath = “C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”]

{9ECB9560-04F9-4bbc-943D-298DDF1699E1}(Default) = “Norton Internet Security”

-> {HKLM…CLSID} = “CNisExtBho Class”

\InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll” [“Symantec Corporation”]

{AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided)

-> {HKLM…CLSID} = “Google Toolbar Helper”

\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]

{BDF3E430-B101-42AD-A544-FADC6B084872}(Default) = “NAV Helper”

-> {HKLM…CLSID} = “CNavExtBho Class”

\InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler”

-> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”

\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

“{8e9d6600-f84a-11ce-8daa-00aa004a5691}” = “Shell extensions for NetWare”

-> {HKLM…CLSID} = “NetWare Objects”

\InProcServer32(Default) = “nwprovau.dll” [MS]

“{e3f2bac0-099f-11cf-8daa-00aa004a5691}” = “Shell extensions for NetWare”

-> {HKLM…CLSID} = “NetWare UNC Folder Menu”

\InProcServer32(Default) = “nwprovau.dll” [MS]

“{52c68510-09a0-11cf-8daa-00aa004a5691}” = “Shell extensions for NetWare”

-> {HKLM…CLSID} = “NetWare Hood Verbs”

\InProcServer32(Default) = “nwprovau.dll” [MS]

“{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band”

-> {HKLM…CLSID} = “Shell Search Band”

\InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

INFECTION WARNING! “GinaDLL” = “C:\WINDOWS\System32\BCMLogon.dll” [“Broadcom Corporation”]

HKLM\System\CurrentControlSet\Control\Session Manager\

“BootExecute” = ** WARNING – empty or invalid data! **

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! OdysseyClient\DLLName = “odyEvent.dll” [“Funk Software, Inc.”]

HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! application/octet-stream\CLSID = “{1E66F26B-79EE-11D2-8710-00C04F79ED0D}”

-> {HKLM…CLSID} = “Cor MIME Filter, CorFltr, CorFltr 1”

\InProcServer32(Default) = “C:\WINDOWS\ServicePackFiles\i386\mscoree.dll” [MS]

INFECTION WARNING! application/x-complus\CLSID = “{1E66F26B-79EE-11D2-8710-00C04F79ED0D}”

-> {HKLM…CLSID} = “Cor MIME Filter, CorFltr, CorFltr 1”

\InProcServer32(Default) = “C:\WINDOWS\ServicePackFiles\i386\mscoree.dll” [MS]

INFECTION WARNING! application/x-msdownload\CLSID = “{1E66F26B-79EE-11D2-8710-00C04F79ED0D}”

-> {HKLM…CLSID} = “Cor MIME Filter, CorFltr, CorFltr 1”

\InProcServer32(Default) = “C:\WINDOWS\ServicePackFiles\i386\mscoree.dll” [MS]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}”

-> {HKLM…CLSID} = “IEContextMenu Class”

\InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

NetWareUNCMenu(Default) = “{e3f2bac0-099f-11cf-8daa-00aa004a5691}”

-> {HKLM…CLSID} = “NetWare UNC Folder Menu”

\InProcServer32(Default) = “nwprovau.dll” [MS]

Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}”

-> {HKLM…CLSID} = “IEContextMenu Class”

\InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

Active Desktop and Wallpaper:

Active Desktop is enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Enabled Screen Saver:

HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS]

Startup items in “Tatulo” & “All Users” startup folders:

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS]

Enabled Scheduled Tasks:

“Norton AntiVirus - Skanuj komputer - Tatulo” -> launches: “C:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exe /task:“C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Tasks\mycomp.sca”” [“Symantec Corporation”]

“Symantec NetDetect” -> launches: “C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE” [“Symantec Corporation”]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

“{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}”

-> {HKLM…CLSID} = “Norton AntiVirus”

\InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

“{2318C2B1-4965-11D4-9B18-009027A5CD4F}”

-> {HKLM…CLSID} = “&Google”

\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]

“{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}”

-> {HKLM…CLSID} = “Norton AntiVirus”

\InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”]

“{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}”

-> {HKLM…CLSID} = “Norton Internet Security”

\InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll” [“Symantec Corporation”]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

“{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided)

-> {HKLM…CLSID} = “&Google”

\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]

“{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}” = “Norton Internet Security”

-> {HKLM…CLSID} = “Norton Internet Security”

\InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll” [“Symantec Corporation”]

“{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}” = “Norton AntiVirus”

-> {HKLM…CLSID} = “Norton AntiVirus”

\InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

“ButtonText” = “Messenger”

“MenuText” = “Windows Messenger”

“Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

Agent SAP, NwSapAgent, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\ipxsap.dll” [MS]}

Broadcom Wireless LAN Tray Service, wltrysvc, “C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe” [null data]

ISSvc, ISSVC, ““C:\Program Files\Norton Internet Security\ISSVC.exe”” [“Symantec Corporation”]

Odyssey Client for Fujitsu Siemens Computers, odClientService, “C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe” [“Funk Software, Inc.”]

Symantec Event Manager, ccEvtMgr, ““C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe”” [“Symantec Corporation”]

Symantec Network Drivers Service, SNDSrvc, ““C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe”” [“Symantec Corporation”]

Symantec Network Proxy, ccProxy, ““C:\Program Files\Common Files\Symantec Shared\ccProxy.exe”” [“Symantec Corporation”]

Symantec Settings Manager, ccSetMgr, ““C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe”” [“Symantec Corporation”]

Symantec SPBBCSvc, SPBBCSvc, ““C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe”” [“Symantec Corporation”]

Usługa Auto-Protect programu Norton AntiVirus, navapsvc, ““C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe”” [“Symantec Corporation”]

Usługa klienta dla systemu NetWare, NWCWorkstation, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\nwwks.dll” [MS]}

This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

To search all directories of local fixed drives for DESKTOP.INI

DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

use the -supp parameter or answer “No” at the first message box.

---------- (total run time: 21 seconds, including 2 seconds for message boxes)

Ale niestety pojawił się też kolejny problem!! Uruchomiłem Gmer-a i od razu komunikat. UWAGA! Gmer odnalazł modyfikacje systemu, które mogły zostać dokonane przez Rootkit’a i oczywiście zalecenie dokładładnego przeszukania systemu. Oto wynik:

GMER 1.0.11.11349 - http://www.gmer.net Rootkit 2006-09-24 23:30:08 Windows 5.1.2600 Dodatek Service Pack 2 ---- System - GMER 1.0.11 ---- SSDT 82AAB7C8 ZwConnectPort SSDT 82A4CAB8 ZwDuplicateObject SSDT 82A565D0 ZwOpenProcess SSDT 82A53660 ZwOpenThread ---- Devices - GMER 1.0.11 ---- Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 8287D278 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 827D5010 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8288EB78 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 8288EB78 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8288EB78 Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_INTERNAL_DEVICE_CONTROL 8288EB78 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-10 IRP_MJ_INTERNAL_DEVICE_CONTROL 8288EB78 Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_DEVICE_CONTROL [F825BA7C] GDTdiIcpt.sys Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_INTERNAL_DEVICE_CONTROL [F825BA7C] GDTdiIcpt.sys ---- Processes - GMER 1.0.11 ---- Process CCPROXY.EXE (*** hidden *** ) [1220] 8287C9E0 Process CCAPP.EXE (*** hidden *** ) [1740] 821AA7D0 Process SNDSrvc.exe (*** hidden *** ) [1260] 828B55D0 Process CCEVTMGR.EXE (*** hidden *** ) [1308] 829D3390 Process SPBBCSvc.exe (*** hidden *** ) [1272] 8288B5D8 ---- Files - GMER 1.0.11 ---- ADS … ---- EOF - GMER 1.0.11 ----

Bieniol · 24 Wrzesień 2006 21:38

Log jest czysty

Jednak w Silencie nadal figuruje:

Lupus36 · 24 Wrzesień 2006 22:01

Nie wiem co się dzieje ale jest coraz gorzej. Teraz po zrestartowaniu komp otwierał się ok 2 minut. Do tego Norton wyrzuca alert - Kontrola programów

Heeeeeeeeeeelp

Złączono Posta : 24.09.2006 (Nie) 23:42

To najnowszy log Silent:

“Silent Runners.vbs”, revision 48, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “swg” = “C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe” [“Google Inc.”] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z o.o.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “VTTrayp” = “VTtrayp.exe” [“S3 Graphics Co., Ltd.”] “VTTimer” = “VTTimer.exe” [“S3 Graphics, Inc.”] “Symantec NetDriver Monitor” = “C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer” [“Symantec Corporation”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “SMSERIAL” = “sm56hlpr.exe” [“Motorola Inc.”] “OdTray.exe” = ““C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe”” [“Funk Software, Inc.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “CloneCDTray” = ““C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe”” [“Elaborate Bytes”] “CloneCDElbyCDFL” = ““C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe” /L ElbyCDFL” [“Elaborate Bytes”] “ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}(Default) = “Outlook Express” \StubPath = “C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {9ECB9560-04F9-4bbc-943D-298DDF1699E1}(Default) = “Norton Internet Security” -> {HKLM…CLSID} = “CNisExtBho Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll” [“Symantec Corporation”] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Helper” \InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] {BDF3E430-B101-42AD-A544-FADC6B084872}(Default) = “NAV Helper” -> {HKLM…CLSID} = “CNavExtBho Class” \InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{8e9d6600-f84a-11ce-8daa-00aa004a5691}” = “Shell extensions for NetWare” -> {HKLM…CLSID} = “NetWare Objects” \InProcServer32(Default) = “nwprovau.dll” [MS] “{e3f2bac0-099f-11cf-8daa-00aa004a5691}” = “Shell extensions for NetWare” -> {HKLM…CLSID} = “NetWare UNC Folder Menu” \InProcServer32(Default) = “nwprovau.dll” [MS] “{52c68510-09a0-11cf-8daa-00aa004a5691}” = “Shell extensions for NetWare” -> {HKLM…CLSID} = “NetWare Hood Verbs” \InProcServer32(Default) = “nwprovau.dll” [MS] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! “GinaDLL” = “C:\WINDOWS\System32\BCMLogon.dll” [“Broadcom Corporation”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! OdysseyClient\DLLName = “odyEvent.dll” [“Funk Software, Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! application/octet-stream\CLSID = “{1E66F26B-79EE-11D2-8710-00C04F79ED0D}” -> {HKLM…CLSID} = “Cor MIME Filter, CorFltr, CorFltr 1” \InProcServer32(Default) = “C:\WINDOWS\ServicePackFiles\i386\mscoree.dll” [MS] INFECTION WARNING! application/x-complus\CLSID = “{1E66F26B-79EE-11D2-8710-00C04F79ED0D}” -> {HKLM…CLSID} = “Cor MIME Filter, CorFltr, CorFltr 1” \InProcServer32(Default) = “C:\WINDOWS\ServicePackFiles\i386\mscoree.dll” [MS] INFECTION WARNING! application/x-msdownload\CLSID = “{1E66F26B-79EE-11D2-8710-00C04F79ED0D}” -> {HKLM…CLSID} = “Cor MIME Filter, CorFltr, CorFltr 1” \InProcServer32(Default) = “C:\WINDOWS\ServicePackFiles\i386\mscoree.dll” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}” -> {HKLM…CLSID} = “IEContextMenu Class” \InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NetWareUNCMenu(Default) = “{e3f2bac0-099f-11cf-8daa-00aa004a5691}” -> {HKLM…CLSID} = “NetWare UNC Folder Menu” \InProcServer32(Default) = “nwprovau.dll” [MS] Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}” -> {HKLM…CLSID} = “IEContextMenu Class” \InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Tatulo” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Enabled Scheduled Tasks: ------------------------ “Norton AntiVirus - Skanuj komputer - Tatulo” -> launches: “C:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exe /task:“C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Tasks\mycomp.sca”” [“Symantec Corporation”] “Symantec NetDetect” -> launches: “C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE” [“Symantec Corporation”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}” -> {HKLM…CLSID} = “Norton AntiVirus” \InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] “{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}” -> {HKLM…CLSID} = “Norton AntiVirus” \InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] “{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}” -> {HKLM…CLSID} = “Norton Internet Security” \InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll” [“Symantec Corporation”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided) -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] “{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}” = “Norton Internet Security” -> {HKLM…CLSID} = “Norton Internet Security” \InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll” [“Symantec Corporation”] “{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}” = “Norton AntiVirus” -> {HKLM…CLSID} = “Norton AntiVirus” \InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Agent SAP, NwSapAgent, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\ipxsap.dll” [MS]} Broadcom Wireless LAN Tray Service, wltrysvc, “C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe” [null data] ISSvc, ISSVC, ““C:\Program Files\Norton Internet Security\ISSVC.exe”” [“Symantec Corporation”] Odyssey Client for Fujitsu Siemens Computers, odClientService, “C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe” [“Funk Software, Inc.”] Symantec Event Manager, ccEvtMgr, ““C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe”” [“Symantec Corporation”] Symantec Network Drivers Service, SNDSrvc, ““C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe”” [“Symantec Corporation”] Symantec Network Proxy, ccProxy, ““C:\Program Files\Common Files\Symantec Shared\ccProxy.exe”” [“Symantec Corporation”] Symantec Settings Manager, ccSetMgr, ““C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe”” [“Symantec Corporation”] Symantec SPBBCSvc, SPBBCSvc, ““C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe”” [“Symantec Corporation”] Usługa Auto-Protect programu Norton AntiVirus, navapsvc, ““C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe”” [“Symantec Corporation”] Usługa klienta dla systemu NetWare, NWCWorkstation, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\nwwks.dll” [MS]} ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 24 seconds, including 2 seconds for message boxes)

Chyba się udało wyrugować ten dziwny rejestr, natomiast nie zmieniło to sytuacji odnośnie otwierania kompa - trwa to około 2 minut: otwiera się pasek zadań i muli coś w tle. Po 2 minutach najpierw niebieski pulpit (przez sekundę) a potem wraca wszytko do normy. Co robić??

Bieniol · 25 Wrzesień 2006 11:48

Log jest już czysty

Przeczyść rejestr (polecam do tego jv16 PowerTools 2006 1.5.2.344), zrób defragmentację, oraz przejrzyj: Optymalizacja XP

Wejdź: Start --> uruchom --> msconfig i w zakładce uruchamianie odznacz (według Ciebie) niepotrzbne przy autostarcie programy

Lupus36 · 25 Wrzesień 2006 12:57

Jak doradziłeś przeczyściłem rejestr, odznaczyłem niepotrzebne programy i defragmentowalem ale bez zmian. Natomiast niepokoi mnie ten Gmer, który daje komunikat o Rootkitach:

GMER 1.0.11.11349 - http://www.gmer.net Rootkit 2006-09-25 14:55:12 Windows 5.1.2600 Dodatek Service Pack 2 ---- System - GMER 1.0.11 ---- SSDT 828E4A78 ZwConnectPort SSDT 82643DA8 ZwDuplicateObject SSDT 82948D78 ZwOpenProcess SSDT 828F0D40 ZwOpenThread ---- Devices - GMER 1.0.11 ---- Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 826B4010 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 82AC0E50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82613010 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 82613010 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82613010 Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82613010 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-10 IRP_MJ_INTERNAL_DEVICE_CONTROL 82613010 Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_DEVICE_CONTROL [F81FBA7C] GDTdiIcpt.sys Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_INTERNAL_DEVICE_CONTROL [F81FBA7C] GDTdiIcpt.sys ---- Processes - GMER 1.0.11 ---- Process CCPROXY.EXE (*** hidden *** ) [292] 8290A5F0 Process CCAPP.EXE (*** hidden *** ) [1716] 821BA020 Process SNDSrvc.exe (*** hidden *** ) [340] 823EB4C8 Process CCEVTMGR.EXE (*** hidden *** ) [404] 82A17DA0 Process SPBBCSvc.exe (*** hidden *** ) [364] 82907A30 ---- EOF - GMER 1.0.11 ----

Dodatkowo Norton daje alert: znaleziono WinFixer, daje loga z HiJacka i Silent Runners:

“Silent Runners.vbs”, revision 48, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z o.o.”] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “swg” = “C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe” [“Google Inc.”] “Odkurzacz-MCD” = “C:\Program Files\Odkurzacz\odk_mcd.exe” [“Franmo Software”] “odk_mcd” = (empty string) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “VTTrayp” = “VTtrayp.exe” [“S3 Graphics Co., Ltd.”] “VTTimer” = “VTTimer.exe” [“S3 Graphics, Inc.”] “Symantec NetDriver Monitor” = “C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer” [“Symantec Corporation”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “SMSERIAL” = “sm56hlpr.exe” [“Motorola Inc.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “CloneCDElbyCDFL” = ““C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe” /L ElbyCDFL” [“Elaborate Bytes”] “ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”] “CloneCDTray” = ““C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe”” [“Elaborate Bytes”] “OdTray.exe” = ““C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe”” [“Funk Software, Inc.”] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}(Default) = “Outlook Express” \StubPath = “C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {9ECB9560-04F9-4bbc-943D-298DDF1699E1}(Default) = (no title provided) -> {HKLM…CLSID} = “CNisExtBho Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll” [“Symantec Corporation”] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Helper” \InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] {BDF3E430-B101-42AD-A544-FADC6B084872}(Default) = (no title provided) -> {HKLM…CLSID} = “CNavExtBho Class” \InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{8e9d6600-f84a-11ce-8daa-00aa004a5691}” = “Shell extensions for NetWare” -> {HKLM…CLSID} = “NetWare Objects” \InProcServer32(Default) = “nwprovau.dll” [MS] “{e3f2bac0-099f-11cf-8daa-00aa004a5691}” = “Shell extensions for NetWare” -> {HKLM…CLSID} = “NetWare UNC Folder Menu” \InProcServer32(Default) = “nwprovau.dll” [MS] “{52c68510-09a0-11cf-8daa-00aa004a5691}” = “Shell extensions for NetWare” -> {HKLM…CLSID} = “NetWare Hood Verbs” \InProcServer32(Default) = “nwprovau.dll” [MS] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play” -> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play” \InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! “GinaDLL” = “C:\WINDOWS\System32\BCMLogon.dll” [“Broadcom Corporation”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! OdysseyClient\DLLName = “odyEvent.dll” [“Funk Software, Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! application/octet-stream\CLSID = “{1E66F26B-79EE-11D2-8710-00C04F79ED0D}” -> {HKLM…CLSID} = “Cor MIME Filter, CorFltr, CorFltr 1” \InProcServer32(Default) = “C:\WINDOWS\ServicePackFiles\i386\mscoree.dll” [MS] INFECTION WARNING! application/x-complus\CLSID = “{1E66F26B-79EE-11D2-8710-00C04F79ED0D}” -> {HKLM…CLSID} = “Cor MIME Filter, CorFltr, CorFltr 1” \InProcServer32(Default) = “C:\WINDOWS\ServicePackFiles\i386\mscoree.dll” [MS] INFECTION WARNING! application/x-msdownload\CLSID = “{1E66F26B-79EE-11D2-8710-00C04F79ED0D}” -> {HKLM…CLSID} = “Cor MIME Filter, CorFltr, CorFltr 1” \InProcServer32(Default) = “C:\WINDOWS\ServicePackFiles\i386\mscoree.dll” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}” -> {HKLM…CLSID} = “IEContextMenu Class” \InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NetWareUNCMenu(Default) = “{e3f2bac0-099f-11cf-8daa-00aa004a5691}” -> {HKLM…CLSID} = “NetWare UNC Folder Menu” \InProcServer32(Default) = “nwprovau.dll” [MS] Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}” -> {HKLM…CLSID} = “IEContextMenu Class” \InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Tatulo” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Enabled Scheduled Tasks: ------------------------ “Norton AntiVirus - Skanuj komputer - Tatulo” -> launches: “C:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exe /task:“C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Tasks\mycomp.sca”” [“Symantec Corporation”] “Symantec NetDetect” -> launches: “C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE” [“Symantec Corporation”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 16 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}” -> {HKLM…CLSID} = “Norton AntiVirus” \InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] “{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}” -> {HKLM…CLSID} = “Norton AntiVirus” \InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] “{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}” -> {HKLM…CLSID} = “Norton Internet Security” \InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll” [“Symantec Corporation”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided) -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] “{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}” = “Norton Internet Security” -> {HKLM…CLSID} = “Norton Internet Security” \InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll” [“Symantec Corporation”] “{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}” = “Norton AntiVirus” -> {HKLM…CLSID} = “Norton AntiVirus” \InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Agent SAP, NwSapAgent, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\ipxsap.dll” [MS]} Broadcom Wireless LAN Tray Service, wltrysvc, “C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe” [null data] HTTP SSL, HTTPFilter, “C:\WINDOWS\System32\svchost.exe -k HTTPFilter” {“C:\WINDOWS\System32\w3ssl.dll” [MS]} ISSvc, ISSVC, ““C:\Program Files\Norton Internet Security\ISSVC.exe”” [“Symantec Corporation”] Odyssey Client for Fujitsu Siemens Computers, odClientService, ““C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe”” [“Funk Software, Inc.”] Symantec Event Manager, ccEvtMgr, ““C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe”” [“Symantec Corporation”] Symantec Network Drivers Service, SNDSrvc, ““C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe”” [“Symantec Corporation”] Symantec Network Proxy, ccProxy, ““C:\Program Files\Common Files\Symantec Shared\ccProxy.exe”” [“Symantec Corporation”] Symantec Settings Manager, ccSetMgr, ““C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe”” [“Symantec Corporation”] Symantec SPBBCSvc, SPBBCSvc, ““C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe”” [“Symantec Corporation”] Usługa Auto-Protect programu Norton AntiVirus, navapsvc, ““C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe”” [“Symantec Corporation”] Usługa klienta dla systemu NetWare, NWCWorkstation, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\nwwks.dll” [MS]} ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 22 seconds, including 3 seconds for message boxes) Logfile of HijackThis v1.99.1 Scan saved at 14:42:30, on 2006-09-25 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\VTtrayp.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\sm56hlpr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe C:\Program Files\Gadu-Gadu\gg.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Tatulo\USTAWI~1\Temp\Rar$EX00.172\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM…\Run: [VTTrayp] VTtrayp.exe O4 - HKLM…\Run: [VTTimer] VTTimer.exe O4 - HKLM…\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [sMSERIAL] sm56hlpr.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [CloneCDElbyCDFL] “C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe” /L ElbyCDFL O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKLM…\Run: [CloneCDTray] “C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe” O4 - HKLM…\Run: [OdTray.exe] “C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe” O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - HKCU…\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Tlumacz z LING… - http://www.ling.pl/ling/def-src.php4 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar1.google.com/data/pl/big/ … gleNav.cab O17 - HKLM\System\CCS\Services\Tcpip…{56938501-F95E-49BB-914F-20E76BFC5405}: Domain = 192.168.1.1 O17 - HKLM\System\CS1\Services\Tcpip…{56938501-F95E-49BB-914F-20E76BFC5405}: Domain = 192.168.1.1 O20 - Winlogon Notify: OdysseyClient - C:\WINDOWS\SYSTEM32\odyEvent.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: Usługa Auto-Protect programu Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: Odyssey Client for Fujitsu Siemens Computers (odClientService) - Funk Software, Inc. - C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Bieniol · 25 Wrzesień 2006 13:17

Gdzie jest ten komunikat?

W logach jest czysto

Jest to oznaka trojana Vundo, dlatego użyj narzędzia VundoFix

Lupus36 · 25 Wrzesień 2006 13:31

Komunikat wyskakuje w momencie uruchomienia Gmer-a. W całości brzmi tak

UWAGA! Gmer odnalazł modyfikacje systemu, które mogły zostać dokonane przez Rootkit’a. Czy chcesz dokładnie przeszukać system? Jednocześnie podświetla na czerwonoGMER 1.0.11.11349 - http://www.gmer.net Rootkit 2006-09-25 15:32:53 Windows 5.1.2600 Dodatek Service Pack 2 ---- Processes - GMER 1.0.11 ---- Process CCAPP.EXE (*** hidden *** ) [3512] 8217A440 Process CCPROXY.EXE (*** hidden *** ) [260] 8290D608 Process NAVAPSVC.exe (*** hidden *** ) [1692] 82316800 Process CCSETMGR.EXE (*** hidden *** ) [284] 829CE7F0 Process ISSVC.exe (*** hidden *** ) [296] 82410620 Process OPSCAN.EXE (*** hidden *** ) [2304] 820AE800 Process CCEVTMGR.EXE (*** hidden *** ) [396] 82904DA0 Process SNDSrvc.exe (*** hidden *** ) [316] 8240FA08 Process SPBBCSvc.exe (*** hidden *** ) [340] 82A239C8 ---- EOF - GMER 1.0.11 ----

Gutek · 25 Wrzesień 2006 13:33

Przeciez nic nie ma

Lupus36 · 25 Wrzesień 2006 13:34

Czyli fałszywy alrm??

Złączono Posta : 25.09.2006 (Pon) 14:42

VundoFix nic nie znalazł! Ale Norton znów dał monit:

Gutek · 25 Wrzesień 2006 14:30

skoro tak to użyj tego VUNDO - http://securityresponse.symantec.com/av … xVundo.exe

Lupus36 · 25 Wrzesień 2006 16:00

Użyłem zarówno VundoFix, jak i FixVundo Symantec i oba programy niczego nie wykryły. Dodatkowo odłączyłem NeroCheck i wywaliłem Windows Messengera. Czy to wystarczy??

Gutek · 25 Wrzesień 2006 16:02

Zrób skan Nortonem i powiedz co zauważył?

Bieniol · 25 Wrzesień 2006 16:06

Spróbuj użyć jeszcze --> VirtumundoBeGone

Lupus36 · 25 Wrzesień 2006 16:10

To jest wynik z VirtumundoBeGone

[09/25/2006, 18:11:29] - VirtumundoBeGone v1.5 ( “C:\Documents and Settings\Tatulo\Ustawienia lokalne\Temporary Internet Files\Content.IE5\KDMNCP67\VirtumundoBeGone[1].exe” ) [09/25/2006, 18:11:31] - Detected System Information: [09/25/2006, 18:11:31] - Windows Version: 5.1.2600, Dodatek Service Pack 2 [09/25/2006, 18:11:31] - Current Username: Tatulo (Admin) [09/25/2006, 18:11:31] - Windows is in NORMAL mode. [09/25/2006, 18:11:31] - Searching for Browser Helper Objects: [09/25/2006, 18:11:31] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class) [09/25/2006, 18:11:31] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} () [09/25/2006, 18:11:31] - WARNING: BHO has no default name. Checking for Winlogon reference. [09/25/2006, 18:11:31] - Checking for HKLM…\Winlogon\Notify\SDHelper [09/25/2006, 18:11:31] - Key not found: HKLM…\Winlogon\Notify\SDHelper, continuing. [09/25/2006, 18:11:31] - BHO 3: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class) [09/25/2006, 18:11:31] - BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper) [09/25/2006, 18:11:31] - BHO 5: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class) [09/25/2006, 18:11:31] - Finished Searching Browser Helper Objects [09/25/2006, 18:11:31] - Finishing up… [09/25/2006, 18:11:31] - Nothing found! Exiting…

Bieniol · 25 Wrzesień 2006 16:14

Jest OK

Zrób to, co napisał Gutek2222

Przeskanuj komputer programami Ad-aware SE Personal 1.06 oraz Spybot Search & Destroy 1.4

Lupus36 · 25 Wrzesień 2006 16:42

Norton podczas skanowania nic nie wykrył, natomiast gdy zaczął działać Ad-Aware SE znowu pojawił się komunikat Nortona, ze wykrył WinFixer

.

Z kolei Ad-Aware znalazł zainfekowane obiekty

Ad-Aware SE Build 1.06r1 Logfile Created on:25 września 2006 18:29:58 Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R124 19.09.2006 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» MRU List(TAC index:0):14 total references Tracking Cookie(TAC index:3):2 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : During removal, unload Explorer and IE if necessary Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 2006-09-25 18:29:58 - Scan started. (Full System Scan) MRU List Object Recognized! Location: : C:\Documents and Settings\Tatulo\recent Description : list of recently opened documents MRU List Object Recognized! Location: : software\microsoft\directdraw\mostrecentapplication Description : most recent application to use microsoft directdraw MRU List Object Recognized! Location: : S-1-5-21-789336058-1972579041-725345543-1006\software\microsoft\directinput\mostrecentapplication Description : most recent application to use microsoft directinput MRU List Object Recognized! Location: : S-1-5-21-789336058-1972579041-725345543-1006\software\microsoft\directinput\mostrecentapplication Description : most recent application to use microsoft directinput MRU List Object Recognized! Location: : S-1-5-21-789336058-1972579041-725345543-1006\software\microsoft\internet explorer\typedurls Description : list of recently entered addresses in microsoft internet explorer MRU List Object Recognized! Location: : S-1-5-21-789336058-1972579041-725345543-1006\software\microsoft\mediaplayer\preferences Description : last cd record path used in microsoft windows media player MRU List Object Recognized! Location: : S-1-5-21-789336058-1972579041-725345543-1006\software\microsoft\windows\currentversion\applets\regedit Description : last key accessed using the microsoft registry editor MRU List Object Recognized! Location: : S-1-5-21-789336058-1972579041-725345543-1006\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru Description : list of recent programs opened MRU List Object Recognized! Location: : S-1-5-21-789336058-1972579041-725345543-1006\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru Description : list of recently saved files, stored according to file extension MRU List Object Recognized! Location: : S-1-5-21-789336058-1972579041-725345543-1006\software\microsoft\windows\currentversion\explorer\recentdocs Description : list of recent documents opened MRU List Object Recognized! Location: : S-1-5-21-789336058-1972579041-725345543-1006\software\microsoft\windows\currentversion\explorer\runmru Description : mru list for items opened in start | run MRU List Object Recognized! Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general Description : windows media sdk MRU List Object Recognized! Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general Description : windows media sdk MRU List Object Recognized! Location: : S-1-5-21-789336058-1972579041-725345543-1006\software\microsoft\windows media\wmsdk\general Description : windows media sdk Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 968 ThreadCreationTime : 2006-09-25 15:46:45 BasePriority : Normal #:2 [csrss.exe] FilePath : ??\C:\WINDOWS\system32\ ProcessID : 1196 ThreadCreationTime : 2006-09-25 15:46:50 BasePriority : Normal #:3 [winlogon.exe] FilePath : ??\C:\WINDOWS\system32\ ProcessID : 1308 ThreadCreationTime : 2006-09-25 15:46:54 BasePriority : High #:4 [services.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1424 ThreadCreationTime : 2006-09-25 15:46:56 BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : System operacyjny Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Usługi i aplikacja Kontroler InternalName : services.exe LegalCopyright : © Microsoft Corporation. Wszelkie prawa zastrzeżone. OriginalFilename : services.exe #:5 [lsass.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1440 ThreadCreationTime : 2006-09-25 15:46:56 BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : LSA Shell (Export Version) InternalName : lsass.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : lsass.exe #:6 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1692 ThreadCreationTime : 2006-09-25 15:46:59 BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:7 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1804 ThreadCreationTime : 2006-09-25 15:47:00 BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:8 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1860 ThreadCreationTime : 2006-09-25 15:47:00 BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:9 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 208 ThreadCreationTime : 2006-09-25 15:47:01 BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:10 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 268 ThreadCreationTime : 2006-09-25 15:47:01 BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:11 [odclientservice.exe] FilePath : C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\ ProcessID : 300 ThreadCreationTime : 2006-09-25 15:47:02 BasePriority : Normal FileVersion : 3.95.0.1942 ProductVersion : 4.02.0.1942 ProductName : Odyssey CompanyName : Funk Software, Inc. FileDescription : Odyssey Client Service InternalName : odClientService LegalCopyright : Copyright 2002-2005 Funk Software, Inc. All rights reserved. OriginalFilename : odClientService.EXE #:12 [ccproxy.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\ ProcessID : 736 ThreadCreationTime : 2006-09-25 15:47:06 BasePriority : Normal FileVersion : 103.5.8.2 ProductVersion : 103.5.8.2 ProductName : Client and Host Security Platform CompanyName : Symantec Corporation FileDescription : Symantec Network Proxy Service InternalName : ccProxy LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved. OriginalFilename : ccProxy.exe #:13 [ccsetmgr.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\ ProcessID : 764 ThreadCreationTime : 2006-09-25 15:47:06 BasePriority : Normal FileVersion : 103.5.8.2 ProductVersion : 103.5.8.2 ProductName : Client and Host Security Platform CompanyName : Symantec Corporation FileDescription : Symantec Settings Manager Service InternalName : ccSetMgr LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved. OriginalFilename : ccSetMgr.exe #:14 [issvc.exe] FilePath : C:\Program Files\Norton Internet Security\ ProcessID : 940 ThreadCreationTime : 2006-09-25 15:47:06 BasePriority : Normal FileVersion : 8.5.0.113 ProductVersion : 8.5 ProductName : Norton Internet Security CompanyName : Symantec Corporation FileDescription : IS Service InternalName : ISSVC.exe LegalCopyright : Copyright © 2005 Symantec Corporation. All rights reserved. OriginalFilename : ISSVC.exe #:15 [sndsrvc.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\ ProcessID : 960 ThreadCreationTime : 2006-09-25 15:47:06 BasePriority : Normal FileVersion : 5.5.1.6 ProductVersion : 5.5 ProductName : Symantec Security Drivers CompanyName : Symantec Corporation FileDescription : Network Driver Service InternalName : SndSrvc LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation OriginalFilename : SndSrvc.exe #:16 [spbbcsvc.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\SPBBC\ ProcessID : 1008 ThreadCreationTime : 2006-09-25 15:47:07 BasePriority : Normal FileVersion : 1,5,1,3 ProductVersion : 1,5,1,3 ProductName : SPBBC CompanyName : Symantec Corporation FileDescription : SPBBC Service InternalName : SPBBCSvc LegalCopyright : Copyright © 2004 Symantec Corporation. All rights reserved. OriginalFilename : SPBBCSvc.exe #:17 [ccevtmgr.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\ ProcessID : 1112 ThreadCreationTime : 2006-09-25 15:47:08 BasePriority : Normal FileVersion : 103.5.8.2 ProductVersion : 103.5.8.2 ProductName : Client and Host Security Platform CompanyName : Symantec Corporation FileDescription : Symantec Event Manager Service InternalName : ccEvtMgr LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved. OriginalFilename : ccEvtMgr.exe #:18 [spoolsv.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 128 ThreadCreationTime : 2006-09-25 15:47:11 BasePriority : Normal FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519) ProductVersion : 5.1.2600.2696 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolsv.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : spoolsv.exe #:19 [navapsvc.exe] FilePath : C:\Program Files\Norton Internet Security\Norton AntiVirus\ ProcessID : 404 ThreadCreationTime : 2006-09-25 15:47:16 BasePriority : Normal FileVersion : 11.5.7.5 ProductVersion : 11.5.7 ProductName : Norton AntiVirus CompanyName : Symantec Corporation FileDescription : Norton AntiVirus Auto-Protect Service InternalName : NAVAPSVC LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2005 Symantec Corporation. All rights reserved. OriginalFilename : NAVAPSVC.EXE #:20 [wltrysvc.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 604 ThreadCreationTime : 2006-09-25 15:47:16 BasePriority : Normal #:21 [bcmwltry.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 628 ThreadCreationTime : 2006-09-25 15:47:17 BasePriority : Normal FileVersion : 3.100.64.1 ProductVersion : 3.100.64.1 ProductName : Broadcom 802.11 Network Adapter Wireless Network Controller CompanyName : Broadcom Corporation FileDescription : Broadcom 802.11 Network Adapter Wireless Network Controller InternalName : bcmwltry.exe LegalCopyright : 1998-2005, Broadcom Corporation All Rights Reserved. OriginalFilename : bcmwltry.exe #:22 [alg.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 112 ThreadCreationTime : 2006-09-25 15:47:27 BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Application Layer Gateway Service InternalName : ALG.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : ALG.exe #:23 [explorer.exe] FilePath : C:\WINDOWS\ ProcessID : 600 ThreadCreationTime : 2006-09-25 15:51:04 BasePriority : Normal FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 6.00.2900.2180 ProductName : System operacyjny Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Eksplorator Windows InternalName : explorer LegalCopyright : © Microsoft Corporation. Wszelkie prawa zastrzeżone. OriginalFilename : EXPLORER.EXE #:24 [vttrayp.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 3180 ThreadCreationTime : 2006-09-25 15:51:11 BasePriority : Normal FileVersion : 2.00.41-1031 ProductVersion : 2.00.41-1031 ProductName : Part of S3 Screen Toys CompanyName : S3 Graphics Co., Ltd. FileDescription : s3contrl (32-bit) InternalName : s3contrl LegalCopyright : Copyright © 2004-2005 S3 Graphics Co., Ltd. LegalTrademarks : S3 is a registered trademark of S3 Incorporated Comments : S3TrayPlus tray icon utility (32-bit) #:25 [vttimer.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 3228 ThreadCreationTime : 2006-09-25 15:51:12 BasePriority : Normal FileVersion : 2.00.01-0307 ProductVersion : 2.00.01-0307 ProductName : S3 Graphics, Inc. Utilities CompanyName : S3 Graphics, Inc. InternalName : S3Timer LegalCopyright : Copyright © 2001-2005 S3 Graphics, Inc. LegalTrademarks : S3 is a registered trademark of S3 Incorporated #:26 [soundman.exe] FilePath : C:\WINDOWS\ ProcessID : 3544 ThreadCreationTime : 2006-09-25 15:51:12 BasePriority : Normal FileVersion : 5.1.0.39 ProductVersion : 5.1.0.39 ProductName : Realtek Sound Manager CompanyName : Realtek Semiconductor Corp. FileDescription : Realtek Sound Manager InternalName : ALSMTray LegalCopyright : Copyright © 2001-2004 Realtek Semiconductor Corp. OriginalFilename : ALSMTray.exe Comments : Realtek AC97 Audio Sound Manager #:27 [sm56hlpr.exe] FilePath : C:\WINDOWS\ ProcessID : 3588 ThreadCreationTime : 2006-09-25 15:51:13 BasePriority : Normal FileVersion : 6.09.07 ProductVersion : SM56 Rel. 6.09 Build 07 ProductName : Motorola SM56 Tray Application CompanyName : Motorola Inc. FileDescription : Motorola SM56 Win32 Utility InternalName : SM56 Modem Helper LegalCopyright : Copyright © 1998-2004, Motorola Inc. OriginalFilename : SM56HLPR.EXE #:28 [ccapp.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\ ProcessID : 3880 ThreadCreationTime : 2006-09-25 15:51:13 BasePriority : Normal FileVersion : 103.5.8.2 ProductVersion : 103.5.8.2 ProductName : Client and Host Security Platform CompanyName : Symantec Corporation FileDescription : Symantec User Session InternalName : ccApp LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved. OriginalFilename : ccApp.exe #:29 [odtray.exe] FilePath : C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\ ProcessID : 4056 ThreadCreationTime : 2006-09-25 15:51:14 BasePriority : Normal FileVersion : 3.95.0.1942 ProductVersion : 4.02.0.1942 ProductName : Odyssey CompanyName : Funk Software, Inc. FileDescription : Odyssey Client Tray Icon InternalName : odTray LegalCopyright : Copyright 2002-2005 Funk Software, Inc. All rights reserved. OriginalFilename : odTray.exe #:30 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 336 ThreadCreationTime : 2006-09-25 15:51:15 BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:31 [iexplore.exe] FilePath : C:\Program Files\Internet Explorer\ ProcessID : 3076 ThreadCreationTime : 2006-09-25 15:52:48 BasePriority : Normal FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 6.00.2900.2180 ProductName : System operacyjny Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Internet Explorer InternalName : iexplore LegalCopyright : © Microsoft Corporation. Wszelkie prawa zastrzeżone. OriginalFilename : IEXPLORE.EXE #:32 [nsmdtr.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\AdBlocking\ ProcessID : 3492 ThreadCreationTime : 2006-09-25 15:52:49 BasePriority : Normal FileVersion : 8.5.0.113 ProductVersion : 8.5 ProductName : Norton Internet Security CompanyName : Symantec Corporation FileDescription : Norton Internet Security Mediator LegalCopyright : Copyright © 2005 Symantec Corporation. All rights reserved. #:33 [ad-aware.exe] FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\ ProcessID : 232 ThreadCreationTime : 2006-09-25 16:29:40 BasePriority : Normal FileVersion : 6.2.0.236 ProductVersion : SE 106 ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft AB Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 14 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 14 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 14 Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking Cookie Object Recognized! Type : IECache Entry Data : tatulo@clickbank[2].txt TAC Rating : 3 Category : Data Miner Comment : Hits:4 Value : Cookie:tatulo@clickbank.net/ Expires : 2007-03-24 17:13:32 LastSync : Hits:4 UseCount : 0 Hits : 4 Tracking Cookie Object Recognized! Type : IECache Entry Data : tatulo@tradedoubler[2].txt TAC Rating : 3 Category : Data Miner Comment : Hits:2 Value : Cookie:tatulo@tradedoubler.com/ Expires : 2026-09-20 17:48:44 LastSync : Hits:2 UseCount : 0 Hits : 2 Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 2 Objects found so far: 16 Deep scanning and examining files (C:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 16 Deep scanning and examining files (D:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for D:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 16 Scanning Hosts file… Hosts file location:“C:\WINDOWS\system32\drivers\etc\hosts”. »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 1 entries scanned. New critical objects:0 Objects found so far: 16 Performing conditional scans… »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 16 18:36:35 Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:06:37.406 Objects scanned:110091 Objects identified:2 Objects ignored:0 New critical objects:2

A Spybot pogratulował Nie ma żadnych zagrożeń.