Trojan rootgg w win xp

Witam

Wiem, że problem ten był już omawiany ale ponieważ nie znalazłem końcowego rozwiązania tego problemu pozwolę sobie jeszcze raz poprosić o pomoc w tej kwestii czyli jak usunąć w win xp trojana rootgg.dll

Wyłączyłem przywracanie systemu i dwukrotne próby usunięcia raz w trybie awaryjnym a potem Killboxem nic nie dały.

Usuwałem wpisy w rejestrach svcnet.exe i JW.exe

Pliku serwer.exe też nie znalazłem.

Poradźcie prosze krok po kroku co mam robić a by się tego pozbyć.

Co powinienem zablokować aby się niepotrzebnie nie uruchamiało przy starcie systemu…

Oto log :

Logfile of HijackThis v1.99.1

Scan saved at 21:06:57, on 2005-05-29

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSVC.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE

C:\Program Files\Adobe\Acrobat 5.0 CE\Distillr\AcroTray.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

C:\PROGRA~1\NEOSTR~1\ComComp.exe

C:\PROGRA~1\NEOSTR~1\Watch.exe

C:\Program Files\Internet Explorer\iexplore.exe

D:\install\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: PopupSentry Class - {00000000-6C30-11D8-9363-000AE6309657} - C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSBHO.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Acrobat\ActiveX\AcroIEHelper.ocx

O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM…\Run: [CloneCDTray] “C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM…\Run: [] C:\WINDOWS\system32\JW.exe

O4 - HKCU…\Run: [i/O Controllers] svcnet.exe

O4 - HKCU…\Run: [] C:\WINDOWS\system32\JW.exe

O4 - HKCU…\Run: [PopUpSentry] C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0 CE\Distillr\AcroTray.exe

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v … 2439030421

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip…{9F17BE47-E020-4943-AF61-51C5F4E7BCE3}: NameServer = 194.204.152.34 217.98.63.164

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe

O23 - Service: Pop-Up Sentry! Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSVC.EXE

Z góry dziękuję za pomoc i wyrozumiałość

spójrz na posty agitariusa w tym wątku http://www.searchengines.pl/phpbb203/in … opic=34879

Usuwałem rootgg.dll w trybie awaryjnym przy odinstalowanym GG i po ponownym uruchomieniu kompa rootgg pojawiał sie znowu…

Spróbuj zrobić to samo przy wyłączonym przywracaniu systemu.

podaj jeszcze log z :

http://www.silentrunners.org/

zobaczymy czy on cos nam powie?

Boczi

Robiłem to przy wyłączonym przywracaniu systemu

Musg

Oto log:

“Silent Runners.vbs”, revision 37, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“I/O Controllers” = “svcnet.exe” [file not found]

" " = “C:\WINDOWS\system32\JW.exe” [null data]

“PopUpSentry” = “C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE” [“PopUpSentry.com”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string]

“SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”]

“WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”]

“WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”]

“CloneCDTray” = ““C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s” [“SlySoft, Inc.”]

“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]

“HPDJ Taskbar Utility” = “C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe” [“HP”]

" " = “C:\WINDOWS\system32\JW.exe” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{00000000-6C30-11D8-9363-000AE6309657}(Default) = “PopupSentry Class”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSBHO.dll” [null data]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = “AcroIEHlprObj Class” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0 CE\Acrobat\ActiveX\AcroIEHelper.ocx” [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

“{59850401-6664-101B-B21C-00AA004BA90B}” = “Microsoft Office Binder Unbind”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL” [MS]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS]

“{46E22146-59C0-4136-9233-52E412E2B428}” = “EzCddax extension”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Easy CD-DA Extractor 8\ezcddax8.dll” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! “{5AE067D3-9AFB-48E0-853A-EBB7F4A000D8}” = “SABShellExecuteHook Class” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSEHPS.DLL” [“SuperAdBlocker.com”]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”]

Enabled Active Desktop and Wallpaper:


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Startup items in “abc” & “All Users” startup folders:


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS]

“Acrobat Assistant” -> shortcut to: “C:\Program Files\Adobe\Acrobat 5.0 CE\Distillr\AcroTray.exe” [“Adobe Systems Inc.”]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:


Dormant Explorer Bars in “View, Explorer Bar” menu

HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}\

(Default) = “Volet Wanadoo”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}\

(Default) = “ToolBand Class”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}\

(Default) = “Volet Wanadoo”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

Running Services (Display Name, Service Name, Path {Service DLL}):


Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”]

Pop-Up Sentry! Service, SABSVC, ““C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSVC.EXE”” [“SuperAdBlocker.com”]


This report excludes default entries except where indicated.

To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.


widac je tutaj:

usuwanie svcnet:

http://www3.ca.com/securityadvisor/viru … x?id=41429

C:\WINDOWS\system32\JW.exe"

a to wyglada na trojana messengera

usun messengera:

http://www.amnezja.org/modules.php?name … =0&thold=0

nastepnie:

w trybie awaryjnym z wylaczonym przywracaniem systemu usun:

C:\WINDOWS\system32\ JW.exe

spsoby usuwania znasz

i zapomnialem jeszcze o jednym:

caly ten falszywy program leci w kosmos

Qrcze ale nie bardzo wiem co mam na tej stronie zrobić? :shock:

przeskanuj antywirem i sprawdz czy go usunie jesli nie to bedziemy wywalac recznie i usun jeszczze tego falszywego pop-upa

Jaki profil ustawić w xpantispy?

Normalny, taki jaki jest standardowo. Nie ma to więszego znaczenia.

Przeskanowałem eTrustem i nic nie znalazło

dobrze a co z resztą?Masz zrobic pozostale rzeczy ,ktore ci podalem

usun ten badziewny pop-up

robisz:

Start >>> Uruchom >>> services.msc >>> zatrzymaj i wyłącz svcnet.exe

Otwierasz HijackThis >>> Misc Tools >>> Delete NT Service >>> wklepujesz svcnet.exe >>> zawierdzasz i kasujesz ręcznie plik svcnet.exe ,

hijackiem fixujesz:

W trybie awaryjnym wywaliłem JW.exe i rootgg.dll, odinstalowałem popupsentra i po restarcie nie znalazłem już tych plików.

Natomiast po uruchomieniu services.msc nie widzę nigdzie svcnet.exe i

hijack tego pliku też nie znalazł

Czy to może oznaczać że mamy problem z głowy?

Daj teraz log z Hijackthis i sillentrunners na nowo.

Logfile of HijackThis v1.99.1

Scan saved at 20:59:22, on 2005-05-30

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\Adobe\Acrobat 5.0 CE\Distillr\AcroTray.exe

C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

C:\PROGRA~1\NEOSTR~1\ComComp.exe

C:\PROGRA~1\NEOSTR~1\Watch.exe

D:\install\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Acrobat\ActiveX\AcroIEHelper.ocx

O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM…\Run: [CloneCDTray] “C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM…\Run: [] C:\WINDOWS\system32\JW.exe

O4 - HKCU…\Run: [] C:\WINDOWS\system32\JW.exe

O4 - HKCU…\Run: [PopUpSentry] C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0 CE\Distillr\AcroTray.exe

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v … 2439030421

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru … ebscan.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip…{9F17BE47-E020-4943-AF61-51C5F4E7BCE3}: NameServer = 194.204.152.34 217.98.63.164

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe

brawo stary,zostaje jeszcze to i pozbedziesz sie tego tak jak powyzej napisalem ale najpierw musisz odinstalowac messengera i usunac:

hijackiem jeszcze to:

lokalizacje widzisz :Program Files

I na koniec (mam nadzieję) do kontroli log

“Silent Runners.vbs”, revision 37, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string]

“SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”]

“WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”]

“WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”]

“CloneCDTray” = ““C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s” [“SlySoft, Inc.”]

“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]

“HPDJ Taskbar Utility” = “C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe” [“HP”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = “AcroIEHlprObj Class” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0 CE\Acrobat\ActiveX\AcroIEHelper.ocx” [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

“{59850401-6664-101B-B21C-00AA004BA90B}” = “Microsoft Office Binder Unbind”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL” [MS]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS]

“{46E22146-59C0-4136-9233-52E412E2B428}” = “EzCddax extension”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Easy CD-DA Extractor 8\ezcddax8.dll” [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”]

Enabled Active Desktop and Wallpaper:


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Startup items in “abc” & “All Users” startup folders:


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS]

“Acrobat Assistant” -> shortcut to: “C:\Program Files\Adobe\Acrobat 5.0 CE\Distillr\AcroTray.exe” [“Adobe Systems Inc.”]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:


Dormant Explorer Bars in “View, Explorer Bar” menu

HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}\

(Default) = “Volet Wanadoo”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}\

(Default) = “ToolBand Class”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}\

(Default) = “Volet Wanadoo”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

Running Services (Display Name, Service Name, Path {Service DLL}):


Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”]


This report excludes default entries except where indicated.

To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.


Ja też mam tego wirusa oto moje logo

“Silent Runners.vbs”, revision 37, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS]

“Norton SystemWorks” = “C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-BD8B87700BEA}” [“Symantec Corporation”]

“ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS]

“Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}

" " = “C:\WINDOWS\system32\Emot1.exe” [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“ATIPTA” = “atiptaxx.exe” [file not found]

“NeroCheck” = “C:\WINDOWS\System32\NeroCheck.exe” [“Ahead Software Gmbh”]

“RemoteControl” = ““C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”]

“ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”]

“WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string]

“WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”]

“WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”]

“Symantec NetDriver Monitor” = “C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer” [“Symantec Corporation”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = “AcroIEHlprObj Class” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx” [empty string]

{45AD732C-2CE2-4666-B366-B2214AD57A49}(Default) = “Idea2 SidebarBrowserMonitor Class”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Desktop Sidebar\sbhelp.dll” [“Idea2”]

{BDF3E430-B101-42AD-A544-FADC6B084872}(Default) = “NAV Helper”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll” [“Symantec Corporation”]

=D>