Trojan Win32 BHO o Net-Worm Win32 Allaple a

Witam!

Kaspersky On Line wykryl u mnie kilka robaków i trojanów:

Trojan-Clicker.Win32.Agent.jn,

Net-Worm.Win32.Allaple.a.

Trojan.Win32.BHO.o,

Trojan-Spy.Win32.VBStat.h ,

Usuwam je GMER’em w gmerze awaryjnym. Niby się usuwają, ale wkrotce potem ciagle powraca na moj komputer.

Chciałabym sie skuteczniej zabezpieczyc przed atakami z zewnatrz. PORADZCIE PROSZĘ!

Załaczam logi z COMBOSCAN i Silent:

______

ComboScan v20070306.20 run by Andziulkaa on 2007-05-15 at 23:30:39

Computer is in Normal Mode.


– HijackThis (run as Andziulkaa.exe) ------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 23:30:43, on 2007-05-15

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\htpatch.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\autoclk.exe

C:\PROGRA~1\Wanadoo\TaskbarIcon.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

D:\Spyware Doctor\swdoctor.exe

C:\Program Files\MCS Studios\PC Firewall\pcfw.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

D:\Spyware Doctor\sdhelp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Wanadoo\EspaceWanadoo.exe

C:\Program Files\Wanadoo\ComComp.exe

C:\Program Files\Wanadoo\Watch.exe

C:\Program Files\Mozilla Firefox\firefox.exe

E:\instalki\Na Wirusy, Porty itp\comboscan.exe

D:\HIJACK~1\ANDZIU~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F2 - REG:system.ini: Shell=explorer.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1D65844C-DDB4-4D90-9407-C65C6C6F8200} - C:\WINDOWS\System32\vtsqp.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {8E503101-9244-4823-8EF2-3257F018DA3b} - C:\WINDOWS\System32\jofgshmq.dll (file missing)

O2 - BHO: (no name) - {AFC9BF99-BFD7-4CCA-9D5E-025A63757211} - C:\WINDOWS\System32\ljjkigf.dll

O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\System32\kefcgjoo.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM…\Run: [HTpatch] C:\WINDOWS\htpatch.exe

O4 - HKLM…\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM…\Run: [autoclk] autoclk.exe

O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe

O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe

O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM…\Run: [WindowsUpdate] rundll32.exe “C:\WINDOWS\System32\oqbgdcfe.dll”,realset

O4 - HKCU…\Run: [spyware Doctor] “D:\Spyware Doctor\swdoctor.exe” /Q

O4 - HKCU…\Run: [PC Firewall] C:\Program Files\MCS Studios\PC Firewall\pcfw.exe

O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\MSMSGS.EXE” /background

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 6296194156

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip…{5CE5CE31-9D1F-44D9-9E53-3394E3B1A558}: NameServer = 194.204.152.34 217.98.63.164

O20 - Winlogon Notify: ljjkigf - C:\WINDOWS\SYSTEM32\ljjkigf.dll

O20 - Winlogon Notify: vtsqp - C:\WINDOWS\System32\vtsqp.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: msn msgr 32-bit?blient process (msnmsgr32) - Unknown owner - C:\WINDOWS\system\msnmsgr32.exe (file missing)

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Spyware Doctor\sdhelp.exe

– Files created between 2007-04-15 and 2007-05-15 -----------------------------

2007-05-11 19:22:36 132660 --a------ C:\WINDOWS\System32\oqbgdcfe.dll

2007-05-09 22:12:12 0 d-------- C:\WINDOWS\System32\Kaspersky Lab

2007-05-09 22:08:05 0 d-------- C:\WINDOWS\System32\ActiveScan

2007-05-09 20:04:08 4212 —h----- C:\WINDOWS\System32\zllictbl.dat

2007-05-09 20:02:58 0 d-------- C:\WINDOWS\Internet Logs

2007-04-29 19:54:12 0 d-------- C:\WINDOWS\System32\appmgmt

2007-04-29 19:47:57 12032 -----n— C:\WINDOWS\System32\drivers\usb8023x.sys

2007-04-29 19:47:57 29696 -----n— C:\WINDOWS\System32\drivers\rndismpx.sys

2007-04-29 19:47:35 0 d-------- C:\Program Files\Microsoft ActiveSync

2007-04-29 19:47:17 0 d-------- C:\WINDOWS\Downloaded Installations

2007-04-29 19:31:05 0 d-------- C:\Program Files\SMM

2007-04-24 03:02:45 0 d-------- C:\WINDOWS\Cache

2007-04-21 21:33:14 38160 --a------ C:\WINDOWS\System32\LMRTREND.dll

2007-04-21 21:33:12 181760 --a------ C:\WINDOWS\System32\ir50_qcx.dll

2007-04-21 21:33:12 198144 --a------ C:\WINDOWS\System32\ir50_qc.dll

2007-04-21 21:33:12 733696 --a------ C:\WINDOWS\System32\ir50_32.dll

2007-04-21 21:33:12 338432 --a------ C:\WINDOWS\System32\ir41_qcx.dll

2007-04-21 21:33:12 120320 --a------ C:\WINDOWS\System32\ir41_qc.dll

2007-04-21 21:32:58 182032 --a------ C:\WINDOWS\System32\dxtmsft3.dll

2007-04-21 21:32:40 63488 --a------ C:\WINDOWS\System32\unam4ie.exe

2007-04-21 21:32:36 10240 --a------ C:\WINDOWS\System32\vidx16.dll

2007-04-21 21:32:35 194320 --a------ C:\WINDOWS\System32\qcut.dll

2007-04-21 21:32:34 4608 --a------ C:\WINDOWS\System32\w95inf32.dll

2007-04-21 21:32:34 2272 --a------ C:\WINDOWS\System32\w95inf16.dll

2007-04-21 21:32:32 48128 --a------ C:\WINDOWS\System32\wnaspi32.dll

2007-04-21 21:32:32 23936 --a------ C:\WINDOWS\System32\drivers\aspi32.sys

2007-04-21 21:32:32 4672 --a------ C:\WINDOWS\system\wowpost.exe

2007-04-21 21:32:32 5600 --a------ C:\WINDOWS\system\winaspi.dll

2007-04-21 18:53:21 17920 --a------ C:\WINDOWS\System32\mdimon.dll

2007-04-21 18:48:18 0 d-------- C:\Program Files\Microsoft.NET

2007-04-21 18:47:52 0 d-------- C:\WINDOWS\SHELLNEW

2007-04-18 18:48:49 24960 --a------ C:\WINDOWS\System32\drivers\usbprint.sys

2007-04-16 23:36:27 577618 —hs---- C:\WINDOWS\System32\pqstv.bak2

2007-04-16 17:50:23 50176 --a------ C:\WINDOWS\System32\dpwsockx.dll

2007-04-16 17:50:23 214528 --a------ C:\WINDOWS\System32\dplayx.dll

2007-04-16 17:48:13 30749 --a------ C:\WINDOWS\System32\vbajet32.dll

2007-04-16 17:48:13 348189 --a------ C:\WINDOWS\System32\msxbde40.dll

2007-04-16 17:48:13 614429 --a------ C:\WINDOWS\System32\mswstr10.dll

2007-04-16 17:48:13 258077 --a------ C:\WINDOWS\System32\mstext40.dll

2007-04-16 17:48:13 552989 --a------ C:\WINDOWS\System32\msrepl40.dll

2007-04-16 17:48:13 348189 --a------ C:\WINDOWS\System32\mspbde40.dll

2007-04-16 17:48:13 241693 --a------ C:\WINDOWS\System32\msjtes40.dll

2007-04-16 17:48:13 172061 --a------ C:\WINDOWS\System32\msjint40.dll

2007-04-16 17:48:13 358976 --a------ C:\WINDOWS\System32\msjetoledb40.dll

2007-04-16 17:48:13 1507356 --a------ C:\WINDOWS\System32\msjet40.dll

2007-04-16 17:48:13 319517 --a------ C:\WINDOWS\System32\msexcl40.dll

2007-04-16 17:48:13 512029 --a------ C:\WINDOWS\System32\msexch40.dll

2007-04-16 17:48:12 831519 --a------ C:\WINDOWS\System32\mswdat10.dll

2007-04-16 17:48:12 315423 --a------ C:\WINDOWS\System32\msrd3x40.dll

2007-04-16 17:48:12 421919 --a------ C:\WINDOWS\System32\msrd2x40.dll

2007-04-16 17:48:12 53279 --a------ C:\WINDOWS\System32\msjter40.dll

2007-04-16 17:48:12 380957 --a------ C:\WINDOWS\System32\expsrv.dll

2007-04-16 17:48:11 213023 --a------ C:\WINDOWS\System32\msltus40.dll

2007-04-16 17:34:46 227840 --a------ C:\WINDOWS\System32\srrstr.dll

2007-04-16 16:29:21 173568 --a------ C:\WINDOWS\System32\schedsvc.dll

2007-04-16 16:29:21 10752 --a------ C:\WINDOWS\System32\mstinit.exe

2007-04-16 16:29:21 263680 --a------ C:\WINDOWS\System32\mstask.dll

2007-04-16 02:18:22 32256 --a------ C:\WINDOWS\System32\msgsvc.dll

2007-04-15 13:34:52 0 d-------- C:\WINDOWS\Sun

2007-04-15 00:20:56 26694 --a------ C:\WINDOWS\System32\xxyvvvu.dll

– Find3M Report ---------------------------------------------------------------

2007-05-15 23:22:59 0 d-------- C:\Program Files\Wanadoo

2007-05-15 23:13:41 0 --a------ C:\WINDOWS\gmer.reg

2007-05-09 20:00:42 0 d-------- C:\Program Files\Mozilla Firefox

2007-05-07 17:20:02 0 d—s---- C:\Documents and Settings\Andziulkaa\Dane aplikacji\Microsoft

2007-05-01 23:29:25 0 d-------- C:\Program Files\Common Files\Adobe

2007-05-01 23:29:24 0 d-------- C:\Documents and Settings\Andziulkaa\Dane aplikacji\Adobe

2007-04-29 19:50:14 2508 --a------ C:\Documents and Settings\Andziulkaa\Dane aplikacji$_hpcst$.hpc

2007-04-21 19:39:22 0 d-------- C:\Documents and Settings\Andziulkaa\Dane aplikacji\COWON

2007-04-15 13:34:52 0 d-------- C:\Documents and Settings\Andziulkaa\Dane aplikacji\Sun

2007-04-14 21:38:44 26694 --a------ C:\WINDOWS\System32\opnoopq.dll

2007-04-14 20:54:32 26694 --a------ C:\WINDOWS\System32\ssqpppp.dll

2007-04-14 20:22:12 0 d-------- C:\Program Files\Messenger

2007-04-14 19:59:54 26694 --a------ C:\WINDOWS\System32\yayvtrp.dll

2007-04-14 19:29:56 456564 —hs---- C:\WINDOWS\System32\pqstv.bak1

2007-04-14 19:29:47 280676 —hs---- C:\WINDOWS\System32\vtsqp.dll

2007-04-14 19:24:35 26694 --a------ C:\WINDOWS\System32\ljjkigf.dll

2007-04-14 00:52:01 0 d-------- C:\Program Files\Java

2007-04-14 00:43:46 0 d-------- C:\Program Files\Common Files\Java

2007-04-14 00:12:16 1156 --a------ C:\WINDOWS\mozver.dat

2007-04-13 22:10:03 0 d-------- C:\Documents and Settings\Andziulkaa\Dane aplikacji\Lavasoft

2007-04-13 21:55:56 26694 --a------ C:\WINDOWS\System32\xxyvwwx.dll

2007-04-13 21:44:50 26694 --a------ C:\WINDOWS\System32\byxvspo.dll

2007-04-13 21:37:23 26694 --a------ C:\WINDOWS\System32\fccdedb.dll

2007-04-13 21:29:39 26694 --a------ C:\WINDOWS\System32\urqolml.dll

2007-04-13 21:02:25 26694 --a------ C:\WINDOWS\System32\rqrsrpp.dll

2007-04-13 20:51:47 26694 --a------ C:\WINDOWS\System32\tuvwtur.dll

2007-04-13 20:38:46 26694 --a------ C:\WINDOWS\System32\vtuspqo.dll

2007-04-13 20:09:09 26694 --a------ C:\WINDOWS\System32\gebawvs.dll

2007-04-13 19:18:55 26694 --a------ C:\WINDOWS\System32\ddcaxuv.dll

2007-04-13 17:41:38 26694 --a------ C:\WINDOWS\System32\wvusspp.dll

2007-04-13 17:27:12 26694 --a------ C:\WINDOWS\System32\fccyvvw.dll

2007-04-13 17:09:46 26694 --a------ C:\WINDOWS\System32\awttrsr.dll

2007-04-13 16:45:39 26694 --a------ C:\WINDOWS\System32\qomjhih.dll

2007-04-13 16:27:17 26694 --a------ C:\WINDOWS\System32\fccyaab.dll

2007-04-13 15:21:08 26694 --a------ C:\WINDOWS\System32\ddcdbbx.dll

2007-04-13 15:14:15 26694 --a------ C:\WINDOWS\System32\jkkhhii.dll

2007-04-12 22:00:21 0 --a------ C:\WINDOWS\nsreg.dat

2007-04-12 22:00:11 0 d-------- C:\Documents and Settings\Andziulkaa\Dane aplikacji\Mozilla

2007-04-12 18:05:15 26694 --a------ C:\WINDOWS\System32\rqrolll.dll

2007-04-11 18:16:03 0 d-------- C:\Documents and Settings\Andziulkaa\Dane aplikacji\PC Tools

2007-04-11 17:14:07 0 d-------- C:\Documents and Settings\Andziulkaa\Dane aplikacji\Macromedia

2007-04-11 15:32:59 0 d-------- C:\Program Files\SkanerOnline

2007-04-11 15:09:32 0 d-------- C:\Program Files\Common Files\ODBC

2007-04-11 15:09:29 0 d-------- C:\Program Files\Common Files\SpeechEngines

2007-04-11 15:09:10 62 --ahs---- C:\Documents and Settings\Andziulkaa\Dane aplikacji\desktop.ini

2007-04-11 14:50:27 0 d–h----- C:\Program Files\InstallShield Installation Information

2007-04-11 14:50:26 0 d-------- C:\Program Files\SAGEM

2007-04-11 14:50:25 0 d-------- C:\Program Files\Common Files\InstallShield

2007-04-11 14:50:09 0 d-------- C:\Program Files\JavaSoft

2007-04-11 14:48:08 80 --a------ C:\WINDOWS\gmer_uninstall.cmd

2007-04-11 14:46:25 0 d-------- C:\Program Files\Gadu-Gadu

2007-04-11 14:42:28 0 d-------- C:\Program Files\Alwil Software

2007-04-11 14:31:26 0 d-------- C:\Program Files\MarBit

2007-04-11 14:31:06 0 d-------- C:\Program Files\Vplayer

2007-04-11 14:30:02 0 d-------- C:\Program Files\MCS Studios

2007-04-11 14:27:19 355486 --a------ C:\WINDOWS\System32\perfh015.dat

2007-04-11 14:27:19 49492 --a------ C:\WINDOWS\System32\perfc015.dat

2007-04-11 14:26:39 0 d-------- C:\Program Files\C-Media 3D Audio

2007-04-11 14:25:03 0 d-------- C:\Program Files\Ahead

2007-04-11 14:22:07 0 d-------- C:\Documents and Settings\Andziulkaa\Dane aplikacji\Identities

2007-04-11 14:17:57 0 d-------- C:\Program Files\microsoft frontpage

2007-04-11 14:17:35 0 -rahs---- C:\MSDOS.SYS

2007-04-11 14:17:35 0 -rahs---- C:\IO.SYS

2007-04-11 14:17:35 0 --a------ C:\CONFIG.SYS

2007-04-11 14:17:35 0 --a------ C:\AUTOEXEC.BAT

2007-04-11 14:16:04 0 d-------- C:\Program Files\Movie Maker

2007-04-11 14:15:39 0 d-------- C:\Program Files\Common Files\MSSoap

2007-04-11 14:14:52 21856 --a------ C:\WINDOWS\System32\emptyregdb.dat

2007-04-11 14:14:32 0 d–h----- C:\Program Files\WindowsUpdate

2007-04-11 14:14:32 0 d-------- C:\Program Files\Usługi online

2007-04-11 14:14:22 0 d-------- C:\Program Files\MSN Gaming Zone

2007-04-11 14:14:20 0 d-------- C:\Program Files\Windows NT

2007-03-15 12:00:36 466432 --a------ C:\WINDOWS\System32\SkanerOnline.dll

– Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

“Spyware Doctor”="“D:\Spyware Doctor\swdoctor.exe” /Q"

“PC Firewall”=“C:\Program Files\MCS Studios\PC Firewall\pcfw.exe”

“MSMSGS”="“C:\Program Files\Messenger\MSMSGS.EXE” /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

“NeroCheck”=“C:\WINDOWS\System32\\NeroCheck.exe”

“HTpatch”=“C:\WINDOWS\htpatch.exe”

“SiSUSBRG”=“C:\WINDOWS\SiSUSBrg.exe”

“Cmaudio”=“RunDll32 cmicnfg.cpl,CMICtrlWnd”

“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe”

“autoclk”=“autoclk.exe”

“WOOWATCH”=“C:\PROGRA~1\Wanadoo\Watch.exe”

“WOOTASKBARICON”=“C:\PROGRA~1\Wanadoo\TaskbarIcon.exe”

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe”

“WindowsUpdate”=“rundll32.exe “C:\WINDOWS\System32\oqbgdcfe.dll”,realset”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

“Installed”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

“Installed”=“1”

“NoChange”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

“Installed”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

“{2354A369-FB71-4D46-AE6D-701001F6D987}”=""

“{AFC9BF99-BFD7-4CCA-9D5E-025A63757211}”=""

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE”

“Spyware Doctor”="“D:\Spyware Doctor\swdoctor.exe” /Q"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE”

“Spyware Doctor”="“D:\Spyware Doctor\swdoctor.exe” /Q"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjkigf

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqp

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

“SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_SISPORT

– End of ComboScan: finished at 2007-05-15 at 23:31:10 ------------------------

__________________-

LOG Z SILENT Runners:

“Silent Runners.vbs”, revision 45, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“Spyware Doctor” = ““D:\Spyware Doctor\swdoctor.exe” /Q” [“PC Tools Research Pty Ltd”]

“PC Firewall” = “C:\Program Files\MCS Studios\PC Firewall\pcfw.exe” [“MCS Studios (http://www.mcsstudios.com)”]

“MSMSGS” = ““C:\Program Files\Messenger\MSMSGS.EXE” /background” [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“NeroCheck” = “C:\WINDOWS\System32\NeroCheck.exe” [“Ahead Software Gmbh”]

“HTpatch” = “C:\WINDOWS\htpatch.exe” [null data]

“SiSUSBRG” = “C:\WINDOWS\SiSUSBrg.exe” [“Silicon Integrated Systems Corp.”]

“Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS]

“avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data]

“autoclk” = “autoclk.exe” [empty string]

“WOOWATCH” = “C:\PROGRA~1\Wanadoo\Watch.exe” [“France Télécom R&D”]

“WOOTASKBARICON” = “C:\PROGRA~1\Wanadoo\TaskbarIcon.exe” [“France Télécom R&D”]

“SunJavaUpdateSched” = “C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [“Sun Microsystems, Inc.”]

“WindowsUpdate” = “rundll32.exe “C:\WINDOWS\System32\oqbgdcfe.dll”,realset” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

{1D65844C-DDB4-4D90-9407-C65C6C6F8200}(Default) = (no title provided)

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\WINDOWS\System32\vtsqp.dll” [null data]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM…CLSID} = “SSVHelper Class”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”]

{8E503101-9244-4823-8EF2-3257F018DA3b}(Default) = (no title provided)

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\WINDOWS\System32\jofgshmq.dll” [file not found]

{AFC9BF99-BFD7-4CCA-9D5E-025A63757211}(Default) = (no title provided)

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\WINDOWS\System32\ljjkigf.dll” [null data]

{E2EE5C44-C66D-499d-BEAE-A2A79189A63A}(Default) = (no title provided)

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\WINDOWS\System32\kefcgjoo.dll” [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{472083B0-C522-11CF-8763-00608CC02F24}” = “avast”

-> {HKLM…CLSID} = “avast”

\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\WinRAR\rarext.dll” [null data]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler”

-> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”

\InProcServer32(Default) = “D:\MICROS~1\OFFICE11\OLKFSTUB.DLL” [MS]

“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “D:\Microsoft Office\OFFICE11\msohev.dll” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! “{AFC9BF99-BFD7-4CCA-9D5E-025A63757211}” = “*” (unwritable string)

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\WINDOWS\System32\ljjkigf.dll” [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! crypt\DLLName = “crypts.dll” [file not found]

INFECTION WARNING! ljjkigf\DLLName = “ljjkigf.dll” [null data]

INFECTION WARNING! vtsqp\DLLName = “C:\WINDOWS\System32\vtsqp.dll” [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”

-> {HKLM…CLSID} = “avast”

\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”

-> {HKLM…CLSID} = “avast”

\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\WinRAR\rarext.dll” [null data]

Active Desktop and Wallpaper:


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\Documents and Settings\Andziulkaa\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Enabled Screen Saver:


HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS]

Startup items in “Andziulkaa” & “All Users” startup folders:


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W” [empty string]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:


Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

“MenuText” = “Sun Java Console”

“CLSIDExtension” = “{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}”

-> {HKCU…CLSID} = “Java Plug-in”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”]

-> {HKLM…CLSID} = “Java Plug-in 1.5.0_06”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll” [“Sun Microsystems, Inc.”]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

“ButtonText” = “Badanie”

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

“ButtonText” = “Messenger”

“MenuText” = “Windows Messenger”

“Exec” = “C:\Program Files\Messenger\MSMSGS.EXE” [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):


avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data]

avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data]

avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”]

avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”]

PC Tools Spyware Doctor, SDhelper, “D:\Spyware Doctor\sdhelp.exe” [“PC Tools Research Pty Ltd”]

Print Monitors:


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS]


  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • To search all directories of local fixed drives for DESKTOP.INI

DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

use the -supp parameter or answer “No” at the first message box.

---------- (total run time: 752 seconds, including 6 seconds for message boxes)

Użyj VundoFix + Trojan.Vundo Removal Tool + VirtumundoBeGone.

Po tym daj log z Combofix-a

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Pozdrawiam Gutek2222

Log czysty ja nic nie widzę :wink:

Dziękuję Bardzo :slight_smile: