Yaho
(Jacho O)
12 Czerwiec 2007 11:45
#1
Witam serdecznie szacowne grono!
Otrzymałem właśnie zawiruszonego laptopa Toshiba.Norton Antyvirus wykrywa jakiegoś trojana np.tmp2 i nie może go usunąć,a następnie ciągle znajduje jakieś dziwne jego klony.Po usunięciu w trybie awaryjnym i zastosowaniu SmitFraudFix (przywracanie systemu wyłączone),wydaje się,że problem ustąpił,ale przy pierwszym lepszym skanowaniu plików,np.Spy Sweeperem albo antyvirem,problem pojawia się znowu.VundoFix nic nie znalazł i właściwie nie wiem już gdzie znaleźć przyczynę?Oto mój log HijackThis (nie zwracajcie uwagi na 2 antyviry,odinstaluję jeden później,najpierw chcę się pozbyć wirusa):
Logfile of HijackThis v1.99.1 Scan saved at 08:41:28, on 2007-06-12 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\TODDSrv.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\WINDOWS\system32\ZoomingHook.exe C:\WINDOWS\system32\TCtrlIOHook.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\Program Files\TC PowerPack\totalcmd.exe C:\rob\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM…\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM…\Run: [TPNF] “C:\Program Files\TOSHIBA\TouchPad\TPTray.exe” O4 - HKLM…\Run: [TPSMain] TPSMain.exe O4 - HKLM…\Run: [Zooming] ZoomingHook.exe O4 - HKLM…\Run: [TCtryIOHook] TCtrlIOHook.exe O4 - HKLM…\Run: [TFncKy] TFncKy.exe O4 - HKLM…\Run: [DDWMon] “C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe” O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKLM…\Run: [intelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” O4 - HKLM…\Run: [intelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless O4 - HKLM…\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [CFSServ.exe] CFSServ.exe -NoClient O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [PCSuiteTrayApplication] “C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe” -startup O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe” O4 - HKLM…\Run: [spySweeper] “C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe” /startintray O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [TOSCDSPD] “C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe” O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe” O4 - Startup: Szybkie uruchamianie programu Microsoft Office OneNote 2003.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 9750295363 O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{CB515F13-8ACA-429A-BC80-697073BC67A3}: NameServer = 194.204.152.34,194.204.159.1 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Harmonogram automatycznej usługi LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Usługa Auto-Protect programu Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Usługa Norton Protection Center (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
TomaszP
(Tomasz Paziewski)
12 Czerwiec 2007 13:15
#2
Log czysty. Wrzuć jeszcze z SilentRunners
Yaho
(Jacho O)
12 Czerwiec 2007 14:48
#3
Wielkie dzięki za sprawdzenie :lol: W międzyczasie trochę pozmieniałem (m.in. usunąłem Norton Security).Logi wyglądają teraz tak:
Logfile of HijackThis v1.99.1 Scan saved at 16:39:53, on 2007-06-12 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\WINDOWS\system32\ZoomingHook.exe C:\WINDOWS\system32\TCtrlIOHook.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\D-Tools\daemon.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\TODDSrv.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\TC PowerPack\totalcmd.exe C:\rob\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM…\Run: [TPNF] “C:\Program Files\TOSHIBA\TouchPad\TPTray.exe” O4 - HKLM…\Run: [TPSMain] TPSMain.exe O4 - HKLM…\Run: [Zooming] ZoomingHook.exe O4 - HKLM…\Run: [TCtryIOHook] TCtrlIOHook.exe O4 - HKLM…\Run: [TFncKy] TFncKy.exe O4 - HKLM…\Run: [DDWMon] “C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe” O4 - HKLM…\Run: [intelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” O4 - HKLM…\Run: [intelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless O4 - HKLM…\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [CFSServ.exe] CFSServ.exe -NoClient O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKLM…\Run: [PCSuiteTrayApplication] “C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe” -startup O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [TOSCDSPD] “C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe” O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe” O4 - Startup: Szybkie uruchamianie programu Microsoft Office OneNote 2003.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 9750295363 O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{CB515F13-8ACA-429A-BC80-697073BC67A3}: NameServer = 194.204.152.34,194.204.159.1 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Harmonogram automatycznej usługi LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing) O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
oraz
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “TOSCDSPD” = ““C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe”” [“TOSHIBA”] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}” = ““C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe”” [“Nero AG”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”] “Alcmtr” = “ALCMTR.EXE” [“Realtek Semiconductor Corp.”] “TPNF” = ““C:\Program Files\TOSHIBA\TouchPad\TPTray.exe”” [“COMPAL ELECTRONIC INC.”] “TPSMain” = “TPSMain.exe” [“TOSHIBA Corporation”] “Zooming” = “ZoomingHook.exe” [“TOSHIBA”] “TCtryIOHook” = “TCtrlIOHook.exe” [“TOSHIBA”] “TFncKy” = “TFncKy.exe” [“TOSHIBA Corporation”] “DDWMon” = ““C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe”” [“TOSHIBA Corporation”] “IntelZeroConfig” = ““C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”” [“Intel Corporation”] “IntelWireless” = ““C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless” [“Intel Corporation”] “AGRSMMSG” = “AGRSMMSG.exe” [“Agere Systems”] “DAEMON Tools-1033” = ““C:\Program Files\D-Tools\daemon.exe” -lang 1033” [“DAEMON’S HOME”] “CFSServ.exe” = “CFSServ.exe -NoClient” [“TOSHIBA CORPORATION”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “PCSuiteTrayApplication” = ““C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe” -startup” [“Nokia”] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "] “WinampAgent” = ““C:\Program Files\Winamp\winampa.exe”” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{9ED66769-A198-41FE-8615-601691C68846}” = “TouchPad Property Sheet” -> {HKLM…CLSID} = “TouchPad PropSheet Class” \InProcServer32(Default) = “C:\WINDOWS\system32\TPprop.dll” [“COMPAL ELECTRONIC INC.”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler” -> {HKLM…CLSID} = “NeroDigitalIconHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll” [“Nero AG”] “{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler” -> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll” [“Nero AG”] “{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “Nokia Phone Browser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll” [“Nokia”] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> igfxcui\DLLName = “igfxdev.dll” [“Intel Corporation”] <> WRNotifier\DLLName = “WRLogonNTF.dll” [file not found] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler” -> {HKLM…CLSID} = “NeroDigitalColumnHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll” [“Nero AG”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Monika” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\Monika\Menu Start\Programy\Autostart “Szybkie uruchamianie programu Microsoft Office OneNote 2003” -> shortcut to: “C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE /tsr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 21 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 20 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {E2E2DD38-D088-4134-82B7-F2BA38496583}\ “MenuText” = “@xpsp3res.dll ,-20001” “Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ConfigFree Service, CFSvcs, “C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe” [“TOSHIBA CORPORATION”] Harmonogram automatycznej usługi LiveUpdate, Harmonogram automatycznej usługi LiveUpdate, ““C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe”” [“Symantec Corporation”] Intel® PROSet/Wireless Event Log, EvtEng, “C:\Program Files\Intel\Wireless\Bin\EvtEng.exe” [“Intel Corporation”] Intel® PROSet/Wireless Registry Service, RegSrvc, “C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe” [“Intel Corporation”] Intel® PROSet/Wireless Service, S24EventMonitor, “C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe” ["Intel Corporation "] Kerio Personal Firewall 4, KPF4, ““C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe”” [“Kerio Technologies”] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] ServiceLayer, ServiceLayer, ““C:\Program Files\PC Connectivity Solution\ServiceLayer.exe”” [“Nokia.”] TOSHIBA Optical Disc Drive Service, TODDSrv, “C:\WINDOWS\system32\TODDSrv.exe” [“TOSHIBA Corporation”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 27 seconds. ---------- (total run time: 66 seconds)
Gutek
(Gutek)
12 Czerwiec 2007 18:11
#4
Yaho
(Jacho O)
13 Czerwiec 2007 05:09
#5
Wielkie dzięki!
Rejestr wyczyściłem CCleaner’em, przedtem usunąłem jeszcze - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe i zrobiłem fix
i
w Hijacku
adam9870
(adam9870)
13 Czerwiec 2007 05:28
#6
Yaho wymienione wpisy:
Są jak najbardziej poprawne i nie należy ich usuwać. Stanowią one część programu marki Norton i odpowiadają za proces aktualizacji.
Istnieje możliwość przywrócenia tych wpisów, z której radziłbym skorzystać. Zatem uruchom HijackThis, kliknij View the list of backups, postaw ptaszek przy wpisach, które chcesz przywrócić i kliknij Restore.
Yaho
(Jacho O)
13 Czerwiec 2007 12:18
#7
Witam ponownie!
Dzięki za podpowiedź,ale usunąłem to celowo,nie chciałem mieć już śladu po Nortonie .Komp teraz hula bez problemu,tylko zastanawiam się,czy zostawić NOD’a32,czy raczej wybrać Avasta?
Jeszcze raz dzięki wzytkim
TomaszP
(Tomasz Paziewski)
14 Czerwiec 2007 12:01
#8
Jeśli masz słabego kompa to bierz NOD’a. NOD w ogóle jest lepszy.
adam9870
(adam9870)
14 Czerwiec 2007 12:24
#9
Rozumiem, ale samo skasowanie wpisów O23 po Nortonie poprzez HijackThis nic nie daje dlatego proponuję skorzystać ze sposobu przedstawionego poniżej.
Wybierz Start -> Uruchom -> wpisz cmd i kliknij OK -> w konsoli, która się otworzy wydaj następujące polecenia, a następnie ją zamknij i najlepiej ponownie uruchom komputer.
Dodatkowo skorzystaj z całkowicie darmowego narzędzia służącego do skutecznego usuwania produktów marki Norton z systemu - SymNRT .
Yaho
(Jacho O)
14 Czerwiec 2007 13:29
#10
Myślałem,że wystarczyło pousuwać pliki pozostałe po odinstalowaniu Nortona i wyczyścić rejestr,a na koniec zafixować w Hijacku.Dzięki za podpowiedź