Trojan Haxdoor


(Tomh2o) #1

Logfile of HijackThis v1.99.1

Scan saved at 17:31:04, on 2006-09-03

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Google\Gmail Notifier\gnotify.exe

C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE

C:\Program Files\BearShare\BearShare.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\F?nts\n?tepad.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE

C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE

C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe

C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe

C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE

C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE

C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe

C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE

C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE

C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe

C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe

C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe

C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe

C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\PROGRA~1\F-SECU~1\ANTI-S~2\fsaw.exe

C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\tomek\USTAWI~1\Temp\Rar$EX01.922\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.pl

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - Default URLSearchHook is missing

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O4 - HKLM..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM..\Run: [nwiz] nwiz.exe /install

O4 - HKLM..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKLM..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot

O4 - HKLM..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

O4 - HKLM..\Run: [CafeNews] C:\Program Files\Press-Service\CafeNews\CN.exe /autostart

O4 - HKLM..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash

O4 - HKLM..\Run: [bearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

O4 - HKLM..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU..\Run: [Miqss] C:\WINDOWS\F?nts\n?tepad.exe

O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\BACKWEB\4476822\Program\fspex.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE

O8 - Extra context menu item: &Zablokuj to okienko - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: Osłona programu IE - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll

O9 - Extra 'Tools' menuitem: Osłona programu IE... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4946805843

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4947662562

O17 - HKLM\System\CCS\Services\Tcpip..{72CB6962-019A-43D9-9669-98EDEB4C1755}: NameServer = 81.219.160.2,217.17.34.10

O17 - HKLM\System\CS1\Services\Tcpip..{72CB6962-019A-43D9-9669-98EDEB4C1755}: NameServer = 81.219.160.2,217.17.34.10

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe

O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe


(Bbieniol) #2

W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku):

Po zabiegach nowy log z Hijacka + log z Silent Runners

Masz dwa antywirusy - odinstaluj jednego, bo się będą gryzły

Podaj lokalizację zainfekowanego pliku :slight_smile:


(Tomh2o) #3

WITAM nie za bardzo wiem jak usunac czesciowy wpis prosze o miniaturowa instrukcje.

lokalizacja zainfekow.pliku.

Trojan Dowlander.Win. 32.Purity

plik: !UPDATE-4295(!).0000

sciezka C:\DOKUMENTS AND SETTINGS\TOMEK\USTAWIENIA\MIO2XI3T

Logfile of HijackThis v1.99.1

Scan saved at 21:04:10, on 2006-09-04

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Google\Gmail Notifier\gnotify.exe

C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE

C:\Program Files\BearShare\BearShare.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\WINDOWS\F?nts\n?tepad.exe

C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE

C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe

C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE

C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe

C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE

C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe

C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE

C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE

C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE

C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe

C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe

C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe

C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe

C:\PROGRA~1\F-SECU~1\ANTI-S~2\fsaw.exe

C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe

C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\tomek\USTAWI~1\Temp\Rar$EX00.359\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.pl

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - Default URLSearchHook is missing

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O4 - HKLM..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM..\Run: [nwiz] nwiz.exe /install

O4 - HKLM..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKLM..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot

O4 - HKLM..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

O4 - HKLM..\Run: [CafeNews] C:\Program Files\Press-Service\CafeNews\CN.exe /autostart

O4 - HKLM..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash

O4 - HKLM..\Run: [bearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

O4 - HKLM..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKCU..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU..\Run: [Miqss] C:\WINDOWS\F?nts\n?tepad.exe

O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\BACKWEB\4476822\Program\fspex.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE

O8 - Extra context menu item: &Zablokuj to okienko - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: Osłona programu IE - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll

O9 - Extra 'Tools' menuitem: Osłona programu IE... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4946805843

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4947662562

O17 - HKLM\System\CCS\Services\Tcpip..{72CB6962-019A-43D9-9669-98EDEB4C1755}: NameServer = 81.219.160.2,217.17.34.10

O17 - HKLM\System\CS1\Services\Tcpip..{72CB6962-019A-43D9-9669-98EDEB4C1755}: NameServer = 81.219.160.2,217.17.34.10

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe

O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe


(Bbieniol) #4

Wyłączasz przywracanie systemu:

Włączasz tryb awaryjny:

Odpalasz Hijacka --> do a system scan only i zaznaczasz wpisy:

I klikasz na dole "fix checked" :slight_smile:

Uruchamiasz narzędzie KillBox, zaznaczasz Delete on reboot[/b, w polu full path of file wklej ścieżkę:

C:\WINDOWS\Fonts\notepad.exe

Klikasz X i restart kompa :slight_smile:

Ściągnij EWIDO, zrób Update i przeskanuj nim dysk :slight_smile:

Wrzuć logi do kontroli :slight_smile:


(Tomh2o) #5

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" ["Nero AG"]

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]

"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"hpfsched" = "C:\WINDOWS\hpfsched.exe" [null data]

"NeroFilterCheck" = "C:\WINDOWS\System32\NeroCheck.exe" ["Ahead Software Gmbh"]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = "C:\Program Files\Google\Gmail Notifier\gnotify.exe" ["Google Inc."]

"F-Secure TNB" = ""C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW" ["F-Secure Corporation"]

"F-Secure Startup Wizard" = ""C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot" ["F-Secure Corporation"]

"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"F-Secure Manager" = ""C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash" ["F-Secure Corporation"]

"BearShare" = ""C:\Program Files\BearShare\BearShare.exe" /pause" ["Free Peers, Inc."]

"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]

"LanguageShortcut" = ""C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"" [null data]

"Google Desktop Search" = ""C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup" ["Google"]

"!ewido" = ""C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32(Default) = "C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

\InProcServer32(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

\InProcServer32(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

\InProcServer32(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"

-> {HKLM...CLSID} = "Microsoft Office Binder Unbind"

\InProcServer32(Default) = "C:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

-> {HKLM...CLSID} = "Portable Media Devices"

\InProcServer32(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"

-> {HKLM...CLSID} = "JetFlExt"

\InProcServer32(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

-> {HKLM...CLSID} = "Shell Search Band"

\InProcServer32(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"

-> {HKLM...CLSID} = "ShellLink for Application References"

\InProcServer32(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]

"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"

-> {HKLM...CLSID} = "Shell Icon Handler for Application References"

\InProcServer32(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"

-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

\InProcServer32(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

INFECTION WARNING! "AppInit_DLLs" = "C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL" ["Google"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

\InProcServer32(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

ewido anti-spyware(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

-> {HKLM...CLSID} = "CContextScan Object"

\InProcServer32(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ewido anti-spyware(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

-> {HKLM...CLSID} = "CContextScan Object"

\InProcServer32(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

jetAudio(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

-> {HKLM...CLSID} = "JetFlExt"

\InProcServer32(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

jetAudio(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

-> {HKLM...CLSID} = "JetFlExt"

\InProcServer32(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Active Desktop and Wallpaper:


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\tomek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sstext3d.scr" [MS]

Startup items in "tomek" & "All Users" startup folders:


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"F-Secure Anti-Virus 2006" -> shortcut to: "C:\Program Files\F-Secure Internet Security\BACKWEB\4476822\Program\fspex.exe -startup" ["F-Secure Internet Security 2005"]

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]

"Symantec Fax Starter Edition Port" -> shortcut to: "C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE" [MS]

Enabled Scheduled Tasks:


"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."]

"Scheduled scanning task" -> launches: "C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exe /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt " ["F-Secure Corporation"]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:


Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in 1.5.0_08"

\InProcServer32(Default) = "C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.5.0_08"

\InProcServer32(Default) = "C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll" ["Sun Microsystems, Inc."]

{300DB664-75B5-47C0-8B45-A44ACCF73C00}\

"ButtonText" = "Osłona programu IE"

"MenuText" = "Osłona programu IE..."

"CLSIDExtension" = "{0928F506-07E8-470c-979D-147C296D4879}"

-> {HKLM...CLSID} = "F-Secure IE Shield COM button"

\InProcServer32(Default) = "C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll" ["F-Secure Corporation"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):


Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Program Files\CyberLink\Shared Files\RichVideo.exe"" [empty string]

ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]

F-Secure Anti-Virus 2006, BackWeb Plug-in - 4476822, "C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE" ["F-Secure Internet Security 2005"]

F-Secure Anti-Virus Firewall Daemon, FSDFWD, ""C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe"" ["F-Secure Corporation"]

F-Secure Management Agent, FSMA, ""C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE"" ["F-Secure Corporation"]

fsbwsys, fsbwsys, ""C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe"" ["F-Secure Corp."]

FSGKHS, F-Secure Gatekeeper Handler Starter, ""C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe"" ["F-Secure Corporation"]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

Print Monitors:


HKLM\System\CurrentControlSet\Control\Print\Monitors\

HPF00120\Driver = "HPFlpm20.dll" ["Hewlett-Packard Company"]

OLFax Ports\Driver = "OLFMNT40.DLL" [MS]


  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • To search all directories of local fixed drives for DESKTOP.INI

DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 44 seconds, including 2 seconds for message boxes)

w killboxie mialem komunikatPPendingFileRenameOperationsRegistryData has been Removed by External Process.

i co dalej???????


(Bbieniol) #6

Logi są już czyste :slight_smile:

Czy nadal jest problem z tym Haxdoorem?


(Tomh2o) #7

dzieki po skanowaniu jest oki . :stuck_out_tongue: