Trojan w Nortonie


(Krzysiek855) #1

Witam,

zeskanowalem caly system Nortonem i nic nie wykryl a jak siedze na necie wyskakuje mi komunikat o tym, ze wykryl Trojana i nie moze usunac:(. Takie sa zrodla i za kazdym razem nie moze usunac:/.

C:\WINDOWS\system32{FD55A44C-35F9-4124-A7C6-ED38DD0C6946}.exe

C:\WINDOWS\system32{D64A0C45-0D22-47C7-9274-3804D8E9673C}.exe

C:\WINDOWS\system32{4E3FA783-222A-4A7F-94A1-739DB5DA5667}.exe


(aju) #2

Najlepiej wklej logi hijackthis i silent runners


(Krzysiek855) #3
"Silent Runners.vbs", revision 46, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"wqmf" = "C:\PROGRA~1\COMMON~1\wqmf\wqmfm.exe" [file not found]

"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

"NCLaunch" = "C:\WINDOWS\NCLAUNCH.EXe" ["Northcode Inc."]

"WhenUSave" = ""C:\Program Files\Save\Save.exe"" [file not found]

"Free Download Manager" = "C:\Program Files\Free Download Manager\fdm.exe -autorun" [file not found]

"KillAndClean" = ""C:\Program Files\KillAndClean\KillAndClean.exe"" [file not found]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]

"NAV CfgWiz" = "C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"" ["Symantec Corporation"]

"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]

"HR" = "C:\Program Files\Oleansoft\HR\Hr.exe" [file not found]

"tcactive" = "C:\Program Files\The Cleaner\tca.exe" ["MooSoft Development"]

"tcmonitor" = "C:\Program Files\The Cleaner\tcm.exe" ["MooSoft Development"]

"dmcdo.exe" = "C:\WINDOWS\system32\dmcdo.exe" [null data]

"judpo.exe" = "C:\WINDOWS\system32\judpo.exe" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Yahoo! Companion BHO"

                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Google Toolbar Helper"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "CNavExtBho Class"

                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  -> {HKLM...CLSID} = "Shell Search Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"

  -> {HKLM...CLSID} = "MCLiteShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\ICQ-PL\ICQLiteShell.dll" [empty string]

"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager"

  -> {HKLM...CLSID} = "Sony Ericsson File Manager"

                   \InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

INFECTION WARNING! "System" = "cssng.exe" [null data]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [file not found]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"

  -> {HKLM...CLSID} = "MCLiteShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\ICQ-PL\ICQLiteShell.dll" [empty string]

Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"

  -> {HKLM...CLSID} = "IEContextMenu Class"

                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

TheCleaner\(Default) = "{2DE506B9-4320-11d3-8E42-002035221EDA}"

  -> {HKLM...CLSID} = "The Cleaner"

                   \InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"

  -> {HKLM...CLSID} = "MCLiteShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\ICQ-PL\ICQLiteShell.dll" [empty string]

TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"

  -> {HKLM...CLSID} = "The Cleaner"

                   \InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"

  -> {HKLM...CLSID} = "IEContextMenu Class"

                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"

  -> {HKLM...CLSID} = "The Cleaner"

                   \InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Kris\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]



Startup items in "Kris" & "All Users" startup folders:

------------------------------------------------------


C:\Documents and Settings\Kris\Menu Start\Programy\Autostart

"ICQ-PL - Auto Update" -> shortcut to: "C:\Program Files\ICQ-PL\ICQ-PL_5.03_build_2315.exe /DELAY=120" ["PSZETFURNIA"]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]

"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]



Enabled Scheduled Tasks:

------------------------


"Norton AntiVirus - Skanuj komputer" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"

  -> {HKLM...CLSID} = "Norton AntiVirus"

                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"

  -> {HKLM...CLSID} = "Yahoo! Companion"

                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll" ["Yahoo! Inc."]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"

  -> {HKLM...CLSID} = "Norton AntiVirus"

                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

  -> {HKLM...CLSID} = "Yahoo! Companion"

                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]


Explorer Bars


HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\

{21569614-B795-46B1-85F4-E737A8DC09AD}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Shell Search Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


SAVScan, SAVScan, ""C:\Program Files\Norton AntiVirus\SAVScan.exe"" ["Symantec Corporation"]

Sygate Personal Firewall Pro, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]

Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]

Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]

SymWMI Service, SymWSC, ""C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"]

Usługa Auto Protect programu Norton AntiVirus, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 162 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 15 seconds.

---------- (total run time: 220 seconds)

Logfile of HijackThis v1.99.1

Scan saved at 01:22:38, on 2006-07-21

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\The Cleaner\tca.exe

C:\Program Files\The Cleaner\tcm.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\NCLAUNCH.EXe

C:\Program Files\ICQ-PL\X_ICQ-PL_5.03_build_2315.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Kris\Pulpit\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - Default URLSearchHook is missing

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [HR] C:\Program Files\Oleansoft\HR\Hr.exe

O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe

O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe

O4 - HKLM\..\Run: [judpo.exe] C:\WINDOWS\system32\judpo.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [wqmf] C:\PROGRA~1\COMMON~1\wqmf\wqmfm.exe

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe

O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"

O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun

O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"

O4 - Startup: ICQ-PL - Auto Update.lnk = C:\Program Files\ICQ-PL\ICQ-PL_5.03_build_2315.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1BCC4F0A-1D8E-4092-B41D-FEE56D53CB16}: NameServer = 85.255.114.195,85.255.112.139

O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC12D4F-B7E7-4B20-948D-D93206B87B85}: NameServer = 85.255.114.195,85.255.112.139

O17 - HKLM\System\CCS\Services\Tcpip\..\{932BCD51-517A-4C8F-9450-5568772B2C40}: NameServer = 85.255.114.195,85.255.112.139

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.139

O17 - HKLM\System\CS1\Services\Tcpip\..\{1BCC4F0A-1D8E-4092-B41D-FEE56D53CB16}: NameServer = 85.255.114.195,85.255.112.139

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.139

O17 - HKLM\System\CS2\Services\Tcpip\..\{1BCC4F0A-1D8E-4092-B41D-FEE56D53CB16}: NameServer = 85.255.114.195,85.255.112.139

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.139

O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Usługa Auto Protect programu Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

(Gblade) #4

W dodaj/usuń odinstalowujesz wszystko co będzie z tego syfu:


(Krzysiek855) #5

Nie wiem, czy wszytsko dobrze zrobilem, ale sciagnalem tez program Ewido, o ktorym znalazlem info w innym temacie i znalazl 2 trojany:).

Dzieki za pomoc :slight_smile: .

Logfile of HijackThis v1.99.1

Scan saved at 13:28:38, on 2006-07-21

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\NCLAUNCH.EXe

C:\Program Files\Gadu-Gadu\gg.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Kris\Pulpit\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe

O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1BCC4F0A-1D8E-4092-B41D-FEE56D53CB16}: NameServer = 85.255.114.195,85.255.112.139

O17 - HKLM\System\CCS\Services\Tcpip\..\{932BCD51-517A-4C8F-9450-5568772B2C40}: NameServer = 85.255.114.195,85.255.112.139

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.139

O17 - HKLM\System\CS1\Services\Tcpip\..\{1BCC4F0A-1D8E-4092-B41D-FEE56D53CB16}: NameServer = 85.255.114.195,85.255.112.139

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.139

O17 - HKLM\System\CS2\Services\Tcpip\..\{1BCC4F0A-1D8E-4092-B41D-FEE56D53CB16}: NameServer = 85.255.114.195,85.255.112.139

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.139

O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Usługa Auto Protect programu Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"NCLaunch" = "C:\WINDOWS\NCLAUNCH.EXe" ["Northcode Inc."]

"Free Download Manager" = "C:\Program Files\Free Download Manager\fdm.exe -autorun" [file not found]

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]

"NAV CfgWiz" = "C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"" ["Symantec Corporation"]

"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]

"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]

"!ewido" = ""C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Yahoo! Companion BHO"

                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Google Toolbar Helper"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "CNavExtBho Class"

                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  -> {HKLM...CLSID} = "Shell Search Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"

  -> {HKLM...CLSID} = "MCLiteShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\ICQ-PL\ICQLiteShell.dll" [empty string]

"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager"

  -> {HKLM...CLSID} = "Sony Ericsson File Manager"

                   \InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"

  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

                   \InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

"System" = (value not set)


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [file not found]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"

  -> {HKLM...CLSID} = "MCLiteShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\ICQ-PL\ICQLiteShell.dll" [empty string]

Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"

  -> {HKLM...CLSID} = "IEContextMenu Class"

                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"

  -> {HKLM...CLSID} = "MCLiteShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\ICQ-PL\ICQLiteShell.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"

  -> {HKLM...CLSID} = "IEContextMenu Class"

                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Kris\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]



Startup items in "Kris" & "All Users" startup folders:

------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]

"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]



Enabled Scheduled Tasks:

------------------------


"Norton AntiVirus - Skanuj komputer" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"

  -> {HKLM...CLSID} = "Norton AntiVirus"

                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"

  -> {HKLM...CLSID} = "Yahoo! Companion"

                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll" ["Yahoo! Inc."]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"

  -> {HKLM...CLSID} = "Norton AntiVirus"

                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

  -> {HKLM...CLSID} = "Yahoo! Companion"

                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]


Explorer Bars


HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\

{21569614-B795-46B1-85F4-E737A8DC09AD}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Shell Search Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]

SAVScan, SAVScan, ""C:\Program Files\Norton AntiVirus\SAVScan.exe"" ["Symantec Corporation"]

Sygate Personal Firewall Pro, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]

Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]

Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]

SymWMI Service, SymWSC, ""C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"]

Usługa Auto Protect programu Norton AntiVirus, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 85 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 12 seconds.

---------- (total run time: 117 seconds)

Fixwareout ver 1.003

Last edited 07/1/2006

Post this report in the forums please

Reg Entries that were deleted

...

Random Runs removed from HKLM

...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Example ipsec6.exe is legitimate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»

Search five digit cs, dm and jb files

This WILL/CAN also list Legit Files, Submit them at Virustotal

C:\WINDOWS\SYSTEM32\CSXAN.EXE 51 294 2006-07-19

Other suspects

Directory of C:\WINDOWS\system32

{E34318DF-D768-44A9-A2B9-0B137740C9E1}.exe

{CFCA4A0D-06AB-4523-AFAE-EFDCD1EDFD4F}.exe

{69501EB9-D735-4764-91B6-43A56DF9906D}.exe

{11E52039-681C-4D81-9BD0-DDDA79583EA8}.exe

{660FD0E0-B7A1-46CD-9282-5C8025F85AE4}.exe

{508A54D1-373F-49D9-ACC1-5E6AB3538D62}.exe

{994DE620-4339-40DA-8298-4774BFB5E5AF}.exe

{58779947-CDEB-418B-99EF-5AD9C8B3C693}.exe

{629C095B-5F91-425E-A5F4-F8F602406725}.exe

{7F480A88-EA78-4286-8958-9455D588DC1B}.exe

{41BE1E0F-CB16-479F-ABBB-72850869867C}.exe

{3EA5F6DF-3413-4FBB-8FD4-E63E2374F827}.exe

{FEABE74D-D463-4C01-97A7-2A9FC6655ED8}.exe

{7E56EBE3-DF42-4C00-B805-4B69A124C9BC}.exe

{6F29A756-C854-435C-932E-CD5172BFFE11}.exe

{52FF0F5E-D068-4F1B-906B-BFFEBCC824D0}.exe

{16454BA8-B2F9-4A2F-9A49-623DA1256429}.exe

{58868D1E-DF16-4581-80FA-43D08C1EC3C2}.exe

{38C6CF16-31C0-4872-8676-5F10848D15EA}.exe

{270B81C5-1345-4B56-8B0C-277A84DAB369}.exe

{F1526FA3-FA22-4799-9057-42BC71D456E0}.exe

{ADE96A04-D125-455F-B57E-7911604EA0D3}.exe

{6CAF72F1-CAF9-4B39-B119-2BAEFBC95399}.exe

{95604C9E-8A59-4CDE-8D11-A77502509D33}.exe

{95415F79-CCF9-4CA3-8CF5-675529E7C35D}.exe

{A2F3B0B5-F08A-4979-ACE3-48335048AC2B}.exe

{E3B8243C-ACEE-4BBF-A934-822FDC840C40}.exe

{22721C31-0378-4F4D-8347-88F6EF08D0E5}.exe

{344B75FC-0B61-4565-A882-857B995129DC}.exe

{3D25FE26-EDFB-4AB6-84C5-F3442CEFEAF2}.exe

{F5DF4C6C-6F69-495B-B05A-F395EB1013CF}.exe

{877B242B-759A-403C-8381-88AF3C6C49C1}.exe

{6619F215-DBD9-4B0A-A636-7B953F24EC76}.exe

{E509CEC0-F924-4F43-85D1-D37CDC2917CB}.exe

{916907FE-D0C1-4414-81F4-AC41E3F474AF}.exe

{78C7D78B-27FE-4000-85E3-B37EBB70A013}.exe

{9C51517E-A656-4734-B9BD-7DAFFDF4DBEE}.exe

{31D7760F-FF11-437D-BA60-D3FD686B9BE8}.exe

{13EF2874-DE83-4003-888B-B3D88E8B33F1}.exe

{B0B850A4-2D58-4111-A243-DC6DF7CD5FB3}.exe

{95DCCD4F-BE37-4EB5-9590-0826D75393A0}.exe

{27EE4554-0CF1-442B-90B4-2B12933B823E}.exe

{FD55A44C-35F9-4124-A7C6-ED38DD0C6946}.exe

{D64A0C45-0D22-47C7-9274-3804D8E9673C}.exe

{4E3FA783-222A-4A7F-94A1-739DB5DA5667}.exe

{26037B22-21C0-4B82-A9A6-10D65BEA3870}.exe

{4D335D97-1A70-46B1-9DBF-341CCFFF2628}.exe

{31306C1C-3DEF-4509-B162-BA4EFEE58F83}.exe

{F190A88E-21B8-43C5-A045-15CBA2775514}.exe

{BE68CF4D-B963-4AC2-92D7-F3427887D115}.exe

{A47BF4B8-0CA8-4AA7-BC44-9BBC05B4369A}.exe

{86565163-95F5-404F-B073-520E71534E8E}.exe

{FDE6ECE4-66AA-4C66-8176-4A7001E7E7E3}.exe

{81C73081-2410-4B9B-BD9C-E26F0842DBFD}.exe

{339656EE-2E1C-4123-B583-3E23A564BB52}.exe

{4F11D161-47EC-4F0A-A03B-6F65F8257D8E}.exe

{91DBF664-535B-491B-85BB-C43E8F3B5448}.exe

{55A45F0D-26FC-4CA4-B861-AF8BD369C88A}.exe

{8AD0B14D-6E1D-48F4-B5DB-96C23E195354}.exe

{FCB91897-C854-4609-A222-E40119C69419}.exe

{047D1AE7-BF73-4CE1-8FD1-A11A16048F08}.exe

{2529722E-8E76-4E2D-AA2B-C1EC52C22D61}.exe

{1125958E-789B-41EA-8550-3000C72251AA}.exe

{DD31D4C4-EC26-4AF8-8E75-3121484835BE}.exe

{0E71E44C-1D84-4084-99FE-9A7EBB753998}.exe

{C70CB304-78FC-47A1-94FB-EBA81BF46BDE}.exe

{1C113856-7AEA-4CAC-BA6B-D5021A0A4517}.exe

{1DFB786D-FFA6-4F50-A310-7B2638FDE258}.exe

{924D70A5-8A13-495E-8B96-06220DA751B1}.exe

{941C68FB-BE11-4F30-94B8-6F26AD134034}.exe

{787FF55A-7184-49D3-9E1A-F489F27CD6CF}.exe

{36D454FF-9A14-4180-B63B-E6988263519E}.exe

{DE6C3521-0BD1-45FC-9D8A-F75E205B4077}.exe

{C8BA4E98-C60F-4BFF-B46A-B9C5A257F3F3}.exe

{10AF6D0F-919B-405A-A0D2-4640A639BFD2}.exe

{58CA90FA-FACE-42FB-8BAE-3C53F79F8265}.exe

{F066B4D6-77EA-4F3E-99ED-BB9267344A2E}.exe

{B6C516E4-138E-48D9-9E87-222791496193}.exe

{2D7FC00F-727B-469B-BE80-739F670C17A8}.exe

{41CCE806-2FC5-4F92-AD53-227712A2ECA4}.exe

{021CCC18-1F5E-4FFE-BE61-35226B267151}.exe

{A7151EF8-DB6F-4F36-9826-C533D35F3BAB}.exe

{B6C158AE-C0AA-4048-A773-CD88BF6D623C}.exe

{8025FADB-7CFD-4D53-A3D3-48B1744B6012}.exe

{5D7B0151-E220-461F-8853-9D7AF31C5D49}.exe

{9DA18BC0-CACB-47ED-9FCD-3D3CDB86733D}.exe

{0A3BB146-51BE-4190-A799-77BDC4C67C01}.exe

{384583DF-C815-4731-BE4D-9E55AF14466A}.exe

{BD34A69E-1DDE-40F0-B3AA-AE3A48A6FC9B}.exe

{8AD3B55F-BC71-4244-9C6D-12ACA57485AF}.exe

{4DD6DEE0-43D3-4A2A-8759-C4FC7DEE1D46}.exe

{C14ACC64-99F6-4EE8-9557-3874421BA0F5}.exe

{C592817E-B5F7-4E1C-8FCE-A2F01A7BB7A0}.exe

{1230BEF0-0B19-4D51-B3A6-629CB705F869}.exe

{F498F18C-CB8D-4BA6-94FB-25CE7EE0A512}.exe

{2F215EB3-564A-467D-AE85-C18304B8257C}.exe

{7C9F837B-2019-48E1-B818-9D8C187D7EFE}.exe

{2542570F-3DD4-4B46-9D60-4E83AC92F066}.exe

{3CC26981-4C81-456D-B315-8D82EB694394}.exe

{28EA22D4-0CD3-48D9-BF3A-53FC7C75EA48}.exe

{E4084D29-C6C5-4DBE-BB5C-09EF4C61FAC5}.exe

{A7BBC31F-BDBD-4403-BC52-AE652E9C0158}.exe


(Gblade) #6

Otwórz notatnik i wklej:

Plik>>>zapisz jako>>>zmień rozszerzenie z .txt na wszystkie pliki>>>zapisz pod nazwą FIX.BAT np. na pulpicie>>>start do trybu awaryjnego, uruchomić FIX.BAT, nowy log z hjt + fixwareout


(Krzysiek855) #7
Logfile of HijackThis v1.99.1

Scan saved at 17:55:44, on 2006-07-21

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\NCLAUNCH.EXe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Kris\Pulpit\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe

O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1BCC4F0A-1D8E-4092-B41D-FEE56D53CB16}: NameServer = 85.255.114.195,85.255.112.139

O17 - HKLM\System\CCS\Services\Tcpip\..\{932BCD51-517A-4C8F-9450-5568772B2C40}: NameServer = 85.255.114.195,85.255.112.139

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.139

O17 - HKLM\System\CS1\Services\Tcpip\..\{1BCC4F0A-1D8E-4092-B41D-FEE56D53CB16}: NameServer = 85.255.114.195,85.255.112.139

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.139

O17 - HKLM\System\CS2\Services\Tcpip\..\{1BCC4F0A-1D8E-4092-B41D-FEE56D53CB16}: NameServer = 85.255.114.195,85.255.112.139

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.139

O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Usługa Auto Protect programu Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Fixwareout ver 1.003

Last edited 07/1/2006

Post this report in the forums please

Reg Entries that were deleted

...

Random Runs removed from HKLM

...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Example ipsec6.exe is legitimate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»

Search five digit cs, dm and jb files

This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects

Directory of C:\WINDOWS\system32


(Gblade) #8

fixwareout ok, ale w hijackthis nadal to samo, skasuj to wreszcie ;]


(Krzysiek855) #9

Skasowane :slight_smile: .Ale tak to jest jak sie jest laikiem :mrgreen: .

Dzieki za pomoc, z kompem juz wszystko ok. Przynajmniej jak narazie :wink: .

Pzdr.