system
(system)
7 Wrzesień 2007 15:19
#1
Witam
Od przedwzoraj mam na kompie ww wirus i nie potrafię sam sobie z nim poradzic.
Poniżej wklejam logi z Hijack This i Silent Runners:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:36:03, on 2007-09-06 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Alwil Software\Management Tools\mirror\httpd.exe C:\Program Files\Microsoft SQL Server\MSSQL$AVAST\Binn\sqlservr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft SQL Server\MSSQL$AVAST\Binn\sqlagent.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\nvraidservice.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\System32\wbem\unsecapp.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe E:\Config.Msi\Spyware Nuker\swnxt.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\phonostar\ps_agent.exe C:\Program Files\phonostar\ps_timer.exe E:\uTorrent\uTorrent.exe C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE E:\Config.Msi\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm … Ojg5&lid=2 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing) R3 - URLSearchHook: (no name) - - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: Seekmo Search Assistant Helper /fleok=1D8A83A5C5E019769AA475760EA83FA5EF80752B94E3D6795E75402A39C6 - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - c:\program files\seekmo\seekmohook.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: MSVPS System - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - C:\WINDOWS\nsduo.dll O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing) O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - E:\Config.Msi\MegaIEMn.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O3 - Toolbar: Seekmo Toolbar - {53E0B6E8-A51D-448B-B692-40B67B285543} - C:\Program Files\Seekmo Programs\Seekmo Toolbar\SeekmoTB.dll (file missing) O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [sS1HelperStartUp] C:\PROGRA~1\SEASID~1\SS1HEL~1.EXE /partner SS1 O4 - HKLM…\Run: [aswSdWiz] C:\PROGRA~1\ALWILS~1\Avast4\aswSdWiz.exe /i O4 - HKLM…\Run: [links] links.exe O4 - HKLM…\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe O4 - HKLM…\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min O4 - HKLM…\Run: [NI.UERS_0001_N68M1801] “C:\Documents and Settings\darek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\6TDMJQ94\ErrorSafeFreeInstall[1].exe” -nag O4 - HKLM…\Run: [ulead AutoDetector] C:\Monitor.exe O4 - HKLM…\Run: [sWN2] E:\Config.Msi\Spyware Nuker\swnxt.exe /h O4 - HKLM…\Run: [seekmo] “c:\program files\seekmo\seekmo.exe” O4 - HKLM…\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s O4 - HKLM…\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” O4 - HKLM…\Run: [MsgCenterExe] “C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe” -osboot O4 - HKLM…\Run: [TrojanScanner] E:\Config.Msi\Trojan Remover\Trjscan.exe O4 - HKLM…\Run: [dbylnno] c:\windows\system32\dbylnno.exe dbylnno O4 - HKLM…\RunOnce: [HLinit] c:\progra~1\filesu~1\shanno~1.zip\hyperl~1.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Komunikator] “E:\Komunikator Tlen\tlen.exe” O4 - HKCU…\Run: [Registry Cleaner] “C:\Program Files\TPT Registry_Cleaner (Trial)\regclean.exe” O4 - HKCU…\Run: [WinFixer2006] “C:\Program Files\WinFixer_2006\uwfx6.exe” /min O4 - HKCU…\Run: [instant Access] rundll32.exe EGACCESS4_1060.dll,InstantAccess O4 - HKCU…\Run: [AQQ] D:\AQQMOV~1\AQQ\AQQ.exe O4 - HKCU…\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe O4 - HKCU…\Run: [iDMan] E:\Config.Msi\ALLPlayer\LANG\Internet Download Manager\IDMan.exe /onboot O4 - HKCU…\Run: [PhonostarAgent] C:\Program Files\phonostar\ps_agent.exe O4 - HKCU…\Run: [PhonostarTimer] C:\Program Files\phonostar\ps_timer.exe O4 - HKCU…\Run: [Gadu-Gadu] “D:\gg\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [uTorrent] “E:\uTorrent\uTorrent.exe” O4 - HKCU…\Run: [eMuleAutoStart] D:\emule\Nowy folder\eMule\emule.exe -AutoStart O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Startup: .protected O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE O4 - Global Startup: .protected O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe O4 - Global Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.h … xmk361YYPL O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Download All Links with IDM - E:\Config.Msi\ALLPlayer\LANG\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download with IDM - E:\Config.Msi\ALLPlayer\LANG\Internet Download Manager\IEExt.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Pobierz za pomocą Mega Manager… - E:\Config.Msi\mm_file.htm O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll O9 - Extra button: eBay Startseite - {8B69DB2E-015D-4c4f-B97E-95EF5326BDA8} - http://adfarm.mediaplex.com/ad/ck/707-1 … es.ebay.de (file missing) O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu … 0.0.15.cab O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab O16 - DPF: {37A49D66-2735-4BB9-8503-82BA5E2333D0} (MailCfg Control) - http://poczta.wp.pl/d305/mailcfg.ocx O16 - DPF: {AF7410C1-FBA3-415E-800A-4110CED40536} - http://us2-scripts.dlv4.com/binaries/eg … 060_XP.cab O21 - SSODL: msmhost - {5F321404-AFA9-4604-B420-517F4823E73B} - C:\WINDOWS\msmhost.dll O21 - SSODL: msmdev - {6E3FE0CD-F280-4DE9-AD59-3688F64BB73A} - C:\WINDOWS\msmdev.dll O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: avast! iAVS4 Mirror HTTP Server (aswHTTPMirror) - Unknown owner - C:\Program Files\Alwil Software\Management Tools\mirror\httpd.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Management Server - ALWIL Software - C:\Program Files\Alwil Software\Management Tools\avEngine.exe O24 - Desktop Component 0: (no name) - http://photos.aukcje.wosp.org.pl/photos … 5963/59639 O24 - Desktop Component 1: (no name) - http://www.pilskie.com/templates/rk_not … _r3_c1.jpg O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/darek/USTAWI~1/Temp/msohtml1/01/clip_image002.jpg O24 - Desktop Component 3: (no name) - file://E:\Moje obrazy\różne\Nowy folder (3)\Zdjecie 10.jpg O24 - Desktop Component 4: (no name) - http://www.zdjecia.pl/images/galeria/20 … cn7856.jpg – End of file - 11996 bytes
i z silenta:
“Silent Runners.vbs”, revision 52, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “Komunikator” = "“E:\Komunikator Tlen\tlen.exe” " [file not found] “Registry Cleaner” = ““C:\Program Files\TPT Registry_Cleaner (Trial)\regclean.exe”” [file not found] “WinFixer2006” = ““C:\Program Files\WinFixer_2006\uwfx6.exe” /min” [file not found] “Instant Access” = “rundll32.exe EGACCESS4_1060.dll,InstantAccess” [MS] “AQQ” = “D:\AQQMOV~1\AQQ\AQQ.exe” [“AQQ Sp. z o.o.”] “Odkurzacz-MCD” = “C:\Program Files\Odkurzacz\odk_mcd.exe” [“Franmo Software”] “odk_mcd” = “(empty string)” [file not found] “IDMan” = “E:\Config.Msi\ALLPlayer\LANG\Internet Download Manager\IDMan.exe /onboot” [file not found] “PhonostarAgent” = “C:\Program Files\phonostar\ps_agent.exe” [“phonostar”] “PhonostarTimer” = “C:\Program Files\phonostar\ps_timer.exe” [“phonostar”] “Gadu-Gadu” = ““D:\gg\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “uTorrent” = ““E:\uTorrent\uTorrent.exe”” [null data] “eMuleAutoStart” = “D:\emule\Nowy folder\eMule\emule.exe -AutoStart” [“http://www.emule-project.net ”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “NVRaidService” = “C:\WINDOWS\System32\nvraidservice.exe” [“NVIDIA Corporation”] “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “SS1HelperStartUp” = “C:\PROGRA~1\SEASID~1\SS1HEL~1.EXE /partner SS1” [file not found] “aswSdWiz” = “C:\PROGRA~1\ALWILS~1\Avast4\aswSdWiz.exe /i” [file not found] “links” = “links.exe” [file not found] “Media Gateway” = “C:\Program Files\Media Gateway\MediaGateway.exe” [file not found] “avgnt” = ““C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“Avira GmbH”] “NI.UERS_0001_N68M1801” = "“C:\Documents and Settings\darek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\6TDMJQ94\ErrorSafeFreeInstall[1].exe” -nag " [file not found] “Ulead AutoDetector” = “C:\Monitor.exe” [file not found] “SWN2” = “E:\Config.Msi\Spyware Nuker\swnxt.exe /h” [“Trek Blue, Inc”] “seekmo” = ““c:\program files\seekmo\seekmo.exe”” [file not found] “New.net Startup” = “rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s” [MS] “Adobe Photo Downloader” = ““C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”” [“Adobe Systems Incorporated”] “MsgCenterExe” = ““C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe” -osboot” [file not found] “TrojanScanner” = “E:\Config.Msi\Trojan Remover\Trjscan.exe” [“Simply Super Software”] “dbylnno” = “c:\windows\system32\dbylnno.exe dbylnno” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “HLinit” = “c:\progra~1\filesu~1\shanno~1.zip\hyperl~1.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {07B18EA1-A523-4961-B6BB-170DE4475CCA}(Default) = (no title provided) -> {HKLM…CLSID} = “mwsBar BHO” \InProcServer32(Default) = “C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL” [“MyWebSearch.com ”] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided) -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” ["MEGAUPLOAD "] {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38}(Default) = “Seekmo Search Assistant Helper /fleok=1D8A83A5C5E019769AA475760EA83FA5EF80752B94E3D6795E75402A39C6” -> {HKLM…CLSID} = “Seekmo Search Assistant Helper” \InProcServer32(Default) = “c:\program files\seekmo\seekmohook.dll” [file not found] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] {88418AA3-16F5-4FC2-A9D8-90B1266DF841}(Default) = (no title provided) -> {HKLM…CLSID} = “MSVPS System” \InProcServer32(Default) = “C:\WINDOWS\nsduo.dll” [empty string] {944864A5-3916-46E2-96A9-A2E84F3F1208}(Default) = (no title provided) -> {HKLM…CLSID} = “ADefaultSearch Class” \InProcServer32(Default) = “C:\Program Files\Accoona\ASearchAssist.dll” [file not found] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Helper” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [file not found] {bf00e119-21a3-4fd1-b178-3b8537e75c92}(Default) = “Mega Manager IE Click Monitor” -> {HKLM…CLSID} = “IeMonitorBho Class” \InProcServer32(Default) = “E:\Config.Msi\MegaIEMn.dll” [“Megaupload Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“Avira GmbH”] “{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}” = “AQQ File Transfer Shell Extension” -> {HKLM…CLSID} = “AQQ File Transfer Shell Extension” \InProcServer32(Default) = “D:\AQQMOV~1\AQQ\System\AQQSHE~1.DLL” [null data] “{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play” -> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play” \InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS] “{52B87208-9CCF-42C9-B88E-069281105805}” = “Trojan Remover Shell Extension” -> {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “E:\Config.Msi\TROJAN~1\Trshlex.dll” [“Simply Super Software”] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “msmhost” = “{5F321404-AFA9-4604-B420-517F4823E73B}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\msmhost.dll” [null data] “msmdev” = “{6E3FE0CD-F280-4DE9-AD59-3688F64BB73A}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\msmdev.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ AQQFileTransfer(Default) = “{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}” -> {HKLM…CLSID} = “AQQ File Transfer Shell Extension” \InProcServer32(Default) = “D:\AQQMOV~1\AQQ\System\AQQSHE~1.DLL” [null data] Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“Avira GmbH”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” -> {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “E:\Config.Msi\TROJAN~1\Trshlex.dll” [“Simply Super Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“Avira GmbH”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” -> {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “E:\Config.Msi\TROJAN~1\Trshlex.dll” [“Simply Super Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\darek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Active Desktop web content (hidden if disabled): HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\2\ “FriendlyName” = “” “Source” = “file:///C:/DOCUME~1/darek/USTAWI~1/Temp/msohtml1/01/clip_image002.jpg” “SubscribedURL” = “file:///C:/DOCUME~1/darek/USTAWI~1/Temp/msohtml1/01/clip_image002.jpg” HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\3\ “FriendlyName” = “” “Source” = “file://E:\Moje obrazy\różne\Nowy folder (3)\Zdjecie 10.jpg” “SubscribedURL” = “file://E:\Moje obrazy\różne\Nowy folder (3)\Zdjecie 10.jpg” HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\5\ “FriendlyName” = “Privacy Protection” “Source” = “file:///C:\WINDOWS\privacy_danger\index.htm” “SubscribedURL” = “” Startup items in “darek” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\darek\Menu Start\Programy\Autostart <> “.protected” [null data] “MyWebSearch Email Plugin” -> shortcut to: “C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE” [file not found] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart <> “.protected” [null data] “gwum” -> shortcut to: “C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe” [empty string] “RaConfig2500” -> shortcut to: “C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe” [“Ralink Technology, Corp.”] “Service Manager” -> shortcut to: “C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{5AA06644-BC46-4220-A460-47A6EB47C96D}” -> {HKLM…CLSID} = “NavExcel Toolbar” \InProcServer32(Default) = “C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll” [file not found] “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [file not found] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{5AA06644-BC46-4220-A460-47A6EB47C96D}” -> {HKLM…CLSID} = “NavExcel Toolbar” \InProcServer32(Default) = “C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll” [file not found] “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [file not found] “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [file not found] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [file not found] “{53E0B6E8-A51D-448B-B692-40B67B285543}” = “Seekmo Toolbar” -> {HKLM…CLSID} = “Seekmo Toolbar” \InProcServer32(Default) = “C:\Program Files\Seekmo Programs\Seekmo Toolbar\SeekmoTB.dll” [file not found] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” = (no title provided) -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” ["MEGAUPLOAD "] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}(Default) = “My Web Search Quick View” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\WINDOWS\System32\shdocvw.dll” [MS] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}” -> {HKLM…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll” [“Sun Microsystems, Inc.”] {8B69DB2E-015D-4C4F-B97E-95EF5326BDA8}\ “ButtonText” = “eBay Startseite” “Exec” = "http://adfarm.mediaplex.com/ad/ck/707-1170-5704-77?RedirectEnter&partner=36420&loc=http://pages.ebay.de " [file not found] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{00A6FAF6-072E-44cf-8957-5838F569A31D}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL” [file not found] HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ <> “Tabs” = “C:\Documents and Settings\darek\Dane aplikacji\MegauploadToolbar\tabwelcome.html” [null data] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Agent SAP, NwSapAgent, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\ipxsap.dll” [MS]} AntiVir Scheduler, AntiVirScheduler, “C:\Program Files\AntiVir PersonalEdition Classic\sched.exe” [“Avira GmbH”] Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] avast! iAVS4 Mirror HTTP Server, aswHTTPMirror, “C:\Program Files\Alwil Software\Management Tools\mirror\httpd.exe” [null data] MSSQL$AVAST, MSSQL$AVAST, “C:\Program Files\Microsoft SQL Server\MSSQL$AVAST\Binn\sqlservr.exe -sAVAST” [MS] SQLAgent$AVAST, SQLAgent$AVAST, “C:\Program Files\Microsoft SQL Server\MSSQL$AVAST\Binn\sqlagent.EXE -i AVAST” [MS] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] Monitor 2 języka BJ\Driver = “CNBJMON2.DLL” [MS] ---------- (launch time: 2007-09-06 20:20:36) <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 654 seconds, including 5 seconds for message boxes)
Bede wdzieczny za pomoc, pzdr.
Raven55
(Milland)
7 Wrzesień 2007 16:09
#2
Dorzuć log z Combofix a przynajmniej z Deckard System Scanner
system
(system)
7 Wrzesień 2007 20:36
#3
Gutek
(Gutek)
7 Wrzesień 2007 22:25
#4
Użyj SmitFraudFix wybierz opcji nr 2 , oczywiście w trybie awaryjnym i po tym nowy log z Combofix
system
(system)
7 Wrzesień 2007 23:29
#5
Oto log z SmitFraudFix (opcja 2):
SmitFraudFix v2.221 Scan done at 1:24:21,09, 2007-09-09 Run from E:\Config.Msi\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Karta Realtek RTL8139 Family PCI Fast Ethernet NIC - Sterownik miniport Harmonogramu pakietów DNS Server Search Order: 192.168.0.1 HKLM\SYSTEM\CCS\Services\Tcpip…{87078B80-63B4-40CB-9581-74CC6F114C65}: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CS1\Services\Tcpip…{87078B80-63B4-40CB-9581-74CC6F114C65}: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CS3\Services\Tcpip…{87078B80-63B4-40CB-9581-74CC6F114C65}: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» End
jessica
(jessica)
8 Wrzesień 2007 05:11
#6
SmitfraudFix nic nie wykrył, ale wg mnie, chyba nie wszystko jest usunięte z tego, co było widoczne w logu Hijacka.
Dlatego proponuję, by pokazać nowe logi z Hijacka i Sillenta.
Ale przedtem zrób to:
Teraz daj te logi z Hijacka i Sillenta.
jessi
Gutek
(Gutek)
8 Wrzesień 2007 08:31
#7
prawda, że nie wszytko, do logów Hijacka i Sillenta - nowy z Combo!
system
(system)
8 Wrzesień 2007 10:07
#8
Oto log z HT:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:42:08, on 2007-09-09 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Alwil Software\Management Tools\mirror\httpd.exe C:\Program Files\Microsoft SQL Server\MSSQL$AVAST\Binn\sqlservr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft SQL Server\MSSQL$AVAST\Binn\sqlagent.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\nvraidservice.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\System32\wbem\unsecapp.exe E:\Config.Msi\Spyware Nuker\swnxt.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\phonostar\ps_agent.exe C:\Program Files\phonostar\ps_timer.exe E:\uTorrent\utorrent.exe C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\REGEDIT.exe E:\Config.Msi\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about: R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing) O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - E:\Config.Msi\MegaIEMn.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O3 - Toolbar: Seekmo Toolbar - {53E0B6E8-A51D-448B-B692-40B67B285543} - C:\Program Files\Seekmo Programs\Seekmo Toolbar\SeekmoTB.dll (file missing) O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [sS1HelperStartUp] C:\PROGRA~1\SEASID~1\SS1HEL~1.EXE /partner SS1 O4 - HKLM…\Run: [aswSdWiz] C:\PROGRA~1\ALWILS~1\Avast4\aswSdWiz.exe /i O4 - HKLM…\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe O4 - HKLM…\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min O4 - HKLM…\Run: [NI.UERS_0001_N68M1801] “C:\Documents and Settings\darek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\6TDMJQ94\ErrorSafeFreeInstall[1].exe” -nag O4 - HKLM…\Run: [ulead AutoDetector] C:\Monitor.exe O4 - HKLM…\Run: [sWN2] E:\Config.Msi\Spyware Nuker\swnxt.exe /h O4 - HKLM…\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” O4 - HKLM…\Run: [MsgCenterExe] “C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe” -osboot O4 - HKLM…\Run: [TrojanScanner] E:\Config.Msi\Trojan Remover\Trjscan.exe O4 - HKLM…\RunOnce: [HLinit] c:\progra~1\filesu~1\shanno~1.zip\hyperl~1.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Komunikator] “E:\Komunikator Tlen\tlen.exe” O4 - HKCU…\Run: [Registry Cleaner] “C:\Program Files\TPT Registry_Cleaner (Trial)\regclean.exe” O4 - HKCU…\Run: [WinFixer2006] “C:\Program Files\WinFixer_2006\uwfx6.exe” /min O4 - HKCU…\Run: [AQQ] D:\AQQMOV~1\AQQ\AQQ.exe O4 - HKCU…\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe O4 - HKCU…\Run: [iDMan] E:\Config.Msi\ALLPlayer\LANG\Internet Download Manager\IDMan.exe /onboot O4 - HKCU…\Run: [PhonostarAgent] C:\Program Files\phonostar\ps_agent.exe O4 - HKCU…\Run: [PhonostarTimer] C:\Program Files\phonostar\ps_timer.exe O4 - HKCU…\Run: [Gadu-Gadu] “D:\gg\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [uTorrent] “E:\uTorrent\utorrent.exe” O4 - HKCU…\Run: [eMuleAutoStart] D:\emule\Nowy folder\eMule\emule.exe -AutoStart O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe O4 - Global Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.h … xmk361YYPL O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Download All Links with IDM - E:\Config.Msi\ALLPlayer\LANG\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download with IDM - E:\Config.Msi\ALLPlayer\LANG\Internet Download Manager\IEExt.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Pobierz za pomocą Mega Manager… - E:\Config.Msi\mm_file.htm O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll O9 - Extra button: eBay Startseite - {8B69DB2E-015D-4c4f-B97E-95EF5326BDA8} - http://adfarm.mediaplex.com/ad/ck/707-1 … es.ebay.de (file missing) O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu … 0.0.15.cab O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab O16 - DPF: {37A49D66-2735-4BB9-8503-82BA5E2333D0} (MailCfg Control) - http://poczta.wp.pl/d305/mailcfg.ocx O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: avast! iAVS4 Mirror HTTP Server (aswHTTPMirror) - Unknown owner - C:\Program Files\Alwil Software\Management Tools\mirror\httpd.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Management Server - ALWIL Software - C:\Program Files\Alwil Software\Management Tools\avEngine.exe O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/darek/USTAWI~1/Temp/msohtml1/01/clip_image002.jpg O24 - Desktop Component 1: (no name) - file://E:\Moje obrazy\różne\Nowy folder (3)\Zdjecie 10.jpg O24 - Desktop Component 2: (no name) - http://www.zdjecia.pl/images/galeria/20 … cn7856.jpg O24 - Desktop Component 3: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm – End of file - 10510 bytes
z silenta:
“Silent Runners.vbs”, revision 52, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “Komunikator” = "“E:\Komunikator Tlen\tlen.exe” " [file not found] “Registry Cleaner” = ““C:\Program Files\TPT Registry_Cleaner (Trial)\regclean.exe”” [file not found] “WinFixer2006” = ““C:\Program Files\WinFixer_2006\uwfx6.exe” /min” [file not found] “AQQ” = “D:\AQQMOV~1\AQQ\AQQ.exe” [“AQQ Sp. z o.o.”] “Odkurzacz-MCD” = “C:\Program Files\Odkurzacz\odk_mcd.exe” [“Franmo Software”] “odk_mcd” = “(empty string)” [file not found] “IDMan” = “E:\Config.Msi\ALLPlayer\LANG\Internet Download Manager\IDMan.exe /onboot” [file not found] “PhonostarAgent” = “C:\Program Files\phonostar\ps_agent.exe” [“phonostar”] “PhonostarTimer” = “C:\Program Files\phonostar\ps_timer.exe” [“phonostar”] “Gadu-Gadu” = ““D:\gg\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “uTorrent” = ““E:\uTorrent\utorrent.exe”” [null data] “eMuleAutoStart” = “D:\emule\Nowy folder\eMule\emule.exe -AutoStart” [“http://www.emule-project.net ”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “NVRaidService” = “C:\WINDOWS\System32\nvraidservice.exe” [“NVIDIA Corporation”] “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “SS1HelperStartUp” = “C:\PROGRA~1\SEASID~1\SS1HEL~1.EXE /partner SS1” [file not found] “aswSdWiz” = “C:\PROGRA~1\ALWILS~1\Avast4\aswSdWiz.exe /i” [file not found] “Media Gateway” = “C:\Program Files\Media Gateway\MediaGateway.exe” [file not found] “avgnt” = ““C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“Avira GmbH”] “NI.UERS_0001_N68M1801” = "“C:\Documents and Settings\darek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\6TDMJQ94\ErrorSafeFreeInstall[1].exe” -nag " [file not found] “Ulead AutoDetector” = “C:\Monitor.exe” [file not found] “SWN2” = “E:\Config.Msi\Spyware Nuker\swnxt.exe /h” [“Trek Blue, Inc”] “Adobe Photo Downloader” = ““C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”” [“Adobe Systems Incorporated”] “MsgCenterExe” = ““C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe” -osboot” [file not found] “TrojanScanner” = “E:\Config.Msi\Trojan Remover\Trjscan.exe” [“Simply Super Software”] HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “HLinit” = “c:\progra~1\filesu~1\shanno~1.zip\hyperl~1.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided) -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” ["MEGAUPLOAD "] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] {944864A5-3916-46E2-96A9-A2E84F3F1208}(Default) = (no title provided) -> {HKLM…CLSID} = “ADefaultSearch Class” \InProcServer32(Default) = “C:\Program Files\Accoona\ASearchAssist.dll” [file not found] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Helper” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [file not found] {bf00e119-21a3-4fd1-b178-3b8537e75c92}(Default) = “Mega Manager IE Click Monitor” -> {HKLM…CLSID} = “IeMonitorBho Class” \InProcServer32(Default) = “E:\Config.Msi\MegaIEMn.dll” [“Megaupload Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“Avira GmbH”] “{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}” = “AQQ File Transfer Shell Extension” -> {HKLM…CLSID} = “AQQ File Transfer Shell Extension” \InProcServer32(Default) = “D:\AQQMOV~1\AQQ\System\AQQSHE~1.DLL” [null data] “{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play” -> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play” \InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS] “{52B87208-9CCF-42C9-B88E-069281105805}” = “Trojan Remover Shell Extension” -> {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “E:\Config.Msi\TROJAN~1\Trshlex.dll” [“Simply Super Software”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ AQQFileTransfer(Default) = “{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}” -> {HKLM…CLSID} = “AQQ File Transfer Shell Extension” \InProcServer32(Default) = “D:\AQQMOV~1\AQQ\System\AQQSHE~1.DLL” [null data] Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“Avira GmbH”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” -> {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “E:\Config.Msi\TROJAN~1\Trshlex.dll” [“Simply Super Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“Avira GmbH”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” -> {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “E:\Config.Msi\TROJAN~1\Trshlex.dll” [“Simply Super Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Active Desktop web content (hidden if disabled): HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\ “FriendlyName” = “” “Source” = “file:///C:/DOCUME~1/darek/USTAWI~1/Temp/msohtml1/01/clip_image002.jpg” “SubscribedURL” = “file:///C:/DOCUME~1/darek/USTAWI~1/Temp/msohtml1/01/clip_image002.jpg” HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\1\ “FriendlyName” = “” “Source” = “file://E:\Moje obrazy\różne\Nowy folder (3)\Zdjecie 10.jpg” “SubscribedURL” = “file://E:\Moje obrazy\różne\Nowy folder (3)\Zdjecie 10.jpg” HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\4\ “FriendlyName” = “Privacy Protection” “Source” = “file:///C:\WINDOWS\privacy_danger\index.htm” “SubscribedURL” = “” Startup items in “darek” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\darek\Menu Start\Programy\Autostart “MyWebSearch Email Plugin” -> shortcut to: “C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE” [file not found] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “gwum” -> shortcut to: “C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe” [empty string] “RaConfig2500” -> shortcut to: “C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe” [“Ralink Technology, Corp.”] “Service Manager” -> shortcut to: “C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{5AA06644-BC46-4220-A460-47A6EB47C96D}” -> {HKLM…CLSID} = “NavExcel Toolbar” \InProcServer32(Default) = “C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll” [file not found] “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [file not found] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{5AA06644-BC46-4220-A460-47A6EB47C96D}” -> {HKLM…CLSID} = “NavExcel Toolbar” \InProcServer32(Default) = “C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll” [file not found] “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [file not found] “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [file not found] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [file not found] “{53E0B6E8-A51D-448B-B692-40B67B285543}” = “Seekmo Toolbar” -> {HKLM…CLSID} = “Seekmo Toolbar” \InProcServer32(Default) = “C:\Program Files\Seekmo Programs\Seekmo Toolbar\SeekmoTB.dll” [file not found] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” = (no title provided) -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” ["MEGAUPLOAD "] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}(Default) = “My Web Search Quick View” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\WINDOWS\System32\shdocvw.dll” [MS] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}” -> {HKLM…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll” [“Sun Microsystems, Inc.”] {8B69DB2E-015D-4C4F-B97E-95EF5326BDA8}\ “ButtonText” = “eBay Startseite” “Exec” = "http://adfarm.mediaplex.com/ad/ck/707-1170-5704-77?RedirectEnter&partner=36420&loc= http://pages.ebay.de " [file not found] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ <> “Tabs” = “C:\Documents and Settings\darek\Dane aplikacji\MegauploadToolbar\tabwelcome.html” [null data] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Service, AntiVirService, “C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe” [“Avira GmbH”] AntiVir Scheduler, AntiVirScheduler, “C:\Program Files\AntiVir PersonalEdition Classic\sched.exe” [“Avira GmbH”] Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] avast! iAVS4 Mirror HTTP Server, aswHTTPMirror, “C:\Program Files\Alwil Software\Management Tools\mirror\httpd.exe” [null data] MSSQL$AVAST, MSSQL$AVAST, “C:\Program Files\Microsoft SQL Server\MSSQL$AVAST\Binn\sqlservr.exe -sAVAST” [MS] SQLAgent$AVAST, SQLAgent$AVAST, “C:\Program Files\Microsoft SQL Server\MSSQL$AVAST\Binn\sqlagent.EXE -i AVAST” [MS] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] Monitor 2 języka BJ\Driver = “CNBJMON2.DLL” [MS] ---------- (launch time: 2007-09-09 11:44:04) <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 116 seconds. ---------- (total run time: 152 seconds)
A co do wskazanego klucza, możlie wybory to 0-4, bez 5.
Złączono Posta : 08.09.2007 (Sob) 12:12
Log z Combo, wklejam tu, bo nie jest az taki długi:
ComboFix 07-09-08 - “darek” 2007-09-09 12:09:16.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.165 [GMT 2:00] . ((((((((((((((((((((((((( Files Created from 2007-08-09 to 2007-09-09 ))))))))))))))))))))))))))))))) . 2007-09-09 01:24 3,418 --a–c— C:\WINDOWS\system32\tmp.reg 2007-09-07 22:10 51,200 --a–c— C:\WINDOWS\NirCmd.exe 2007-09-05 17:43 77,312 --a–c— C:\WINDOWS\system32\ztvunace26.dll 2007-09-05 17:43 75,264 --a–c— C:\WINDOWS\system32\unacev2.dll 2007-09-05 17:43 69,632 --a–c— C:\WINDOWS\system32\ztvcabinet.dll 2007-09-05 17:43 162,304 --a–c— C:\WINDOWS\system32\ztvunrar36.dll 2007-09-05 17:43 153,088 --a–c— C:\WINDOWS\system32\UNRAR3.dll 2007-09-05 17:43 2007-09-05 17:43 2007-09-04 21:02 2007-09-02 15:51 2007-09-02 15:51 2007-09-02 15:51 2007-09-02 15:50 2007-08-27 18:42 2007-08-15 00:38 4,096 --a–c— C:\WINDOWS\d3dx.dat 2007-08-13 13:11 2007-08-13 13:11 2007-08-13 13:11 2007-08-13 13:11 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-07 05:27 --------- d----c— C:\DOCUME~1\ALLUSE~1\DANEAP~1\AntiVir PersonalEdition classic 2007-09-05 18:20 --------- d-a–c— C:\DOCUME~1\ALLUSE~1\DANEAP~1\TEMP 2007-09-05 18:05 --------- d-------- C:\Program Files\NavExcel Search Toolbar 2007-09-05 17:47 --------- d----c— C:\Program Files\Common Files\CMEII 2007-09-02 15:51 --------- d–h----- C:\Program Files\InstallShield Installation Information 2007-07-30 19:19 92504 --a–c— C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a–c— C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 53080 --a–c— C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 43352 --a–c— C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a–c— C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 203096 --a–c— C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 1712984 --a–c— C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-26 08:20 --------- d----c— C:\DOCUME~1\darek\DANEAP~1\Disney Interactive Studios 2007-07-19 14:43 --------- d----c— C:\DOCUME~1\darek\DANEAP~1\Ankh 2007-07-11 14:31 271872 --a–c— C:\WINDOWS\system32\dbylnno.exe.ren 2007-07-01 12:52 3766 --ahsc— C:\WINDOWS\system32\KGyGaAvL.sys 2007-06-13 09:12 1180 --a–c— C:\drmHeader.bin 2007-06-12 21:04 817664 —h-c— C:\WINDOWS\system32\wodfamoh.dll 2006-11-09 17:53 88280 --a–c— C:\DOCUME~1\darek\DANEAP~1\winantiviruspro2006freeinstall[1].exe.ren 2005-11-05 21:19 0 --a–c— C:\DOCUME~1\darek\wind.exe 2005-02-16 23:38:12 4 -csh–r C:\WINDOWS\ab3pctm.dll 2000-10-10 08:10:10 929,844 -csha-r C:\WINDOWS\system32\Mfc42d.dll . ((((((((((((((((((((((((((((( snapshot_2007-09-08_222846.82 ))))))))))))))))))))))))))))))))))))))))) . -c–atw 16,384 2007-09-09 08:16:42 C:\WINDOWS\Temp\Perflib_Perfdata_718.dat . -c–atw 16,384 2007-03-13 15:53:53 C:\WINDOWS\Temp\Perflib_Perfdata_718.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{944864A5-3916-46E2-96A9-A2E84F3F1208}] C:\Program Files\Accoona\ASearchAssist.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] “{5AA06644-BC46-4220-A460-47A6EB47C96D}”= C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll [] [HKEY_CLASSES_ROOT\CLSID{5AA06644-BC46-4220-A460-47A6EB47C96D}] [HKEY_CLASSES_ROOT\NavExcelBar.NavExcelBarObj.1] [HKEY_CLASSES_ROOT\TypeLib{5297E905-1DFB-4A9C-9871-A4F95FD58945}] [HKEY_CLASSES_ROOT\NavExcelBar.NavExcelBarObj] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SoundMan”=“SOUNDMAN.EXE” [2004-07-27 11:01 C:\WINDOWS\SOUNDMAN.EXE] “NVRaidService”=“C:\WINDOWS\System32\nvraidservice.exe” [2004-06-11 05:15] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-09-29 08:15] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [2007-03-14 03:43] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 12:50] “SS1HelperStartUp”=“C:\PROGRA~1\SEASID~1\SS1HEL~1.exe” [] “aswSdWiz”=“C:\PROGRA~1\ALWILS~1\Avast4\aswSdWiz.exe” [] “Media Gateway”=“C:\Program Files\Media Gateway\MediaGateway.exe” [] “avgnt”=“C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” [2007-09-06 14:53] “NI.UERS_0001_N68M1801”=“C:\Documents and Settings\darek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\6TDMJQ94\ErrorSafeFreeInstall[1].exe” [] “Ulead AutoDetector”=“C:\Monitor.exe” [] “SWN2”=“E:\Config.Msi\Spyware Nuker\swnxt.exe” [2006-06-09 18:11] “Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” [2005-06-06 23:46] “MsgCenterExe”=“C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe” [] “TrojanScanner”=“E:\Config.Msi\Trojan Remover\Trjscan.exe” [2007-09-04 13:26] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 09:44] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24] “Komunikator”=“E:\Komunikator Tlen\tlen.exe” [] “Registry Cleaner”=“C:\Program Files\TPT Registry_Cleaner (Trial)\regclean.exe” [] “WinFixer2006”=“C:\Program Files\WinFixer_2006\uwfx6.exe” [] “AQQ”=“D:\AQQMOV~1\AQQ\AQQ.exe” [2007-02-28 14:18] “Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2006-08-02 23:46] “odk_mcd”="" [] “IDMan”=“E:\Config.Msi\ALLPlayer\LANG\Internet Download Manager\IDMan.exe” [] “PhonostarAgent”=“C:\Program Files\phonostar\ps_agent.exe” [2007-06-18 16:49] “PhonostarTimer”=“C:\Program Files\phonostar\ps_timer.exe” [2007-06-18 16:59] “Gadu-Gadu”=“D:\gg\Gadu-Gadu\gg.exe” [2007-07-09 09:39] “uTorrent”=“E:\uTorrent\utorrent.exe” [2007-09-04 21:11] “eMuleAutoStart”=“D:\emule\Nowy folder\eMule\emule.exe” [2007-05-13 16:57] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] “HLinit”=c:\progra~1\filesu~1\shanno~1.zip\hyperl~1.exe C:\DOCUME~1\ALLUSE~1\MENUST~1\Programy\AUTOST~1\ gwum.lnk - C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe [2005-02-16 21:10:48] RaConfig2500.lnk - C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe [2005-08-31 19:32:13] Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1] Source= file://E:\Moje obrazy\różne\Nowy folder (3)\Zdjecie 10.jpg FriendlyName= [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4] Source= file:///C:\WINDOWS\privacy_danger\index.htm FriendlyName= Privacy Protection R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys R2 aswHTTPMirror;avast! iAVS4 Mirror HTTP Server;C:\Program Files\Alwil Software\Management Tools\mirror\httpd.exe R2 MSSQL$AVAST;MSSQL$AVAST;C:\Program Files\Microsoft SQL Server\MSSQL$AVAST\Binn\sqlservr.exe -sAVAST R2 SQLAgent$AVAST;SQLAgent$AVAST;C:\Program Files\Microsoft SQL Server\MSSQL$AVAST\Binn\sqlagent.EXE -i AVAST R3 MarkFun_NT;MarkFun_NT;??\C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\markfun.w32 R3 Pcatip;Pcatip;C:\WINDOWS\system32\DRIVERS\Pcatip.sys R3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys S2 avast! Management Server;avast! Management Server;“C:\Program Files\Alwil Software\Management Tools\avEngine.exe” /ServiceStart S2 sbbotdi;sbbotdi;??\E:\PROGRA~1\DAP\SPEEDB~1\sbbotdi.sys S3 KAR;Netgroup Packet Filter;C:\WINDOWS\system32\drivers\kar.sys S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{969B3B70-8765-11D5-9809-0050BACBF861}] rundll32.exe advpack.dll,LaunchINFSection C:\Program Files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-09 12:09:57 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce HLinit = c:\progra~1\filesu~1\shanno~1.zip\hyperl~1.exe?? scanning hidden files … scan completed successfully hidden files: 0 ************************************************ . Completion time: 2007-09-09 12:10:44 C:\ComboFix-quarantined-files.txt … 2007-09-09 12:10 C:\ComboFix2.txt … 2007-09-08 22:29 . — E O F —
Złączono Posta : 08.09.2007 (Sob) 12:56
Wydaje mi się, ze w podanym kluczu powinienem wybrać 3, ale nie jestem pewien.
Gutek
(Gutek)
8 Wrzesień 2007 16:39
#9
Pobierz The Avenger . Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w taką lupkę => w okienku, które się otworzy wklej:
kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).
Po tym nowy log z Combo
Gutek
(Gutek)
9 Wrzesień 2007 02:06
#11
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
system
(system)
9 Wrzesień 2007 11:45
#12
Zrobiłem jak wyżej. Czy jeszcze mam coś zrobić?? Nie dostaję już żadnych alertów o wirusie,nie wyskakują żadne antywirusowe reklamy i po skasowaniu z podanego klucza 3, mogę ustawiać tło pulpitu, a więc wszystko wygląda jakby było ok.
jessica
(jessica)
9 Wrzesień 2007 12:45
#13
Tak, jeszcze trzeba jeden klucz usunąć:
jessi
system
(system)
11 Wrzesień 2007 08:12
#14
Tak, ten krok zrobiłem już wcześniej.
Chciałbym Wam bardzo serdecznie podziękować za okazaną pomoc. Dzięki Wam mój komp znowu normalnie działa. Bardzo Dziękuję i kłaniam sie. Pozdrawiam