Witam!
Kaspersky On Line wykryl u mnie kilka robaków i trojanów:
Trojan-Clicker.Win32.Agent.jn,
Net-Worm.Win32.Allaple.a.
Trojan.Win32.BHO.o,
Trojan-Spy.Win32.VBStat.h ,
Usuwam je GMER’em w gmerze awaryjnym. Niby się usuwają, ale wkrotce potem ciagle powraca na moj komputer.
Chciałabym sie skuteczniej zabezpieczyc przed atakami z zewnatrz. PORADZCIE PROSZĘ!
Załaczam logi z COMBOSCAN i Silent:
______
ComboScan v20070306.20 run by Andziulkaa on 2007-05-15 at 23:30:39
Computer is in Normal Mode.
– HijackThis (run as Andziulkaa.exe) ------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 23:30:43, on 2007-05-15
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\htpatch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\autoclk.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Spyware Doctor\swdoctor.exe
C:\Program Files\MCS Studios\PC Firewall\pcfw.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
D:\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\instalki\Na Wirusy, Porty itp\comboscan.exe
D:\HIJACK~1\ANDZIU~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D65844C-DDB4-4D90-9407-C65C6C6F8200} - C:\WINDOWS\System32\vtsqp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8E503101-9244-4823-8EF2-3257F018DA3b} - C:\WINDOWS\System32\jofgshmq.dll (file missing)
O2 - BHO: (no name) - {AFC9BF99-BFD7-4CCA-9D5E-025A63757211} - C:\WINDOWS\System32\ljjkigf.dll
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\System32\kefcgjoo.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM…\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM…\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM…\Run: [autoclk] autoclk.exe
O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM…\Run: [WindowsUpdate] rundll32.exe “C:\WINDOWS\System32\oqbgdcfe.dll”,realset
O4 - HKCU…\Run: [spyware Doctor] “D:\Spyware Doctor\swdoctor.exe” /Q
O4 - HKCU…\Run: [PC Firewall] C:\Program Files\MCS Studios\PC Firewall\pcfw.exe
O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\MSMSGS.EXE” /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 6296194156
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip…{5CE5CE31-9D1F-44D9-9E53-3394E3B1A558}: NameServer = 194.204.152.34 217.98.63.164
O20 - Winlogon Notify: ljjkigf - C:\WINDOWS\SYSTEM32\ljjkigf.dll
O20 - Winlogon Notify: vtsqp - C:\WINDOWS\System32\vtsqp.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: msn msgr 32-bit?blient process (msnmsgr32) - Unknown owner - C:\WINDOWS\system\msnmsgr32.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Spyware Doctor\sdhelp.exe
– Files created between 2007-04-15 and 2007-05-15 -----------------------------
2007-05-11 19:22:36 132660 --a------ C:\WINDOWS\System32\oqbgdcfe.dll
2007-05-09 22:12:12 0 d-------- C:\WINDOWS\System32\Kaspersky Lab
2007-05-09 22:08:05 0 d-------- C:\WINDOWS\System32\ActiveScan
2007-05-09 20:04:08 4212 —h----- C:\WINDOWS\System32\zllictbl.dat
2007-05-09 20:02:58 0 d-------- C:\WINDOWS\Internet Logs
2007-04-29 19:54:12 0 d-------- C:\WINDOWS\System32\appmgmt
2007-04-29 19:47:57 12032 -----n— C:\WINDOWS\System32\drivers\usb8023x.sys
2007-04-29 19:47:57 29696 -----n— C:\WINDOWS\System32\drivers\rndismpx.sys
2007-04-29 19:47:35 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-04-29 19:47:17 0 d-------- C:\WINDOWS\Downloaded Installations
2007-04-29 19:31:05 0 d-------- C:\Program Files\SMM
2007-04-24 03:02:45 0 d-------- C:\WINDOWS\Cache
2007-04-21 21:33:14 38160 --a------ C:\WINDOWS\System32\LMRTREND.dll
2007-04-21 21:33:12 181760 --a------ C:\WINDOWS\System32\ir50_qcx.dll
2007-04-21 21:33:12 198144 --a------ C:\WINDOWS\System32\ir50_qc.dll
2007-04-21 21:33:12 733696 --a------ C:\WINDOWS\System32\ir50_32.dll
2007-04-21 21:33:12 338432 --a------ C:\WINDOWS\System32\ir41_qcx.dll
2007-04-21 21:33:12 120320 --a------ C:\WINDOWS\System32\ir41_qc.dll
2007-04-21 21:32:58 182032 --a------ C:\WINDOWS\System32\dxtmsft3.dll
2007-04-21 21:32:40 63488 --a------ C:\WINDOWS\System32\unam4ie.exe
2007-04-21 21:32:36 10240 --a------ C:\WINDOWS\System32\vidx16.dll
2007-04-21 21:32:35 194320 --a------ C:\WINDOWS\System32\qcut.dll
2007-04-21 21:32:34 4608 --a------ C:\WINDOWS\System32\w95inf32.dll
2007-04-21 21:32:34 2272 --a------ C:\WINDOWS\System32\w95inf16.dll
2007-04-21 21:32:32 48128 --a------ C:\WINDOWS\System32\wnaspi32.dll
2007-04-21 21:32:32 23936 --a------ C:\WINDOWS\System32\drivers\aspi32.sys
2007-04-21 21:32:32 4672 --a------ C:\WINDOWS\system\wowpost.exe
2007-04-21 21:32:32 5600 --a------ C:\WINDOWS\system\winaspi.dll
2007-04-21 18:53:21 17920 --a------ C:\WINDOWS\System32\mdimon.dll
2007-04-21 18:48:18 0 d-------- C:\Program Files\Microsoft.NET
2007-04-21 18:47:52 0 d-------- C:\WINDOWS\SHELLNEW
2007-04-18 18:48:49 24960 --a------ C:\WINDOWS\System32\drivers\usbprint.sys
2007-04-16 23:36:27 577618 —hs---- C:\WINDOWS\System32\pqstv.bak2
2007-04-16 17:50:23 50176 --a------ C:\WINDOWS\System32\dpwsockx.dll
2007-04-16 17:50:23 214528 --a------ C:\WINDOWS\System32\dplayx.dll
2007-04-16 17:48:13 30749 --a------ C:\WINDOWS\System32\vbajet32.dll
2007-04-16 17:48:13 348189 --a------ C:\WINDOWS\System32\msxbde40.dll
2007-04-16 17:48:13 614429 --a------ C:\WINDOWS\System32\mswstr10.dll
2007-04-16 17:48:13 258077 --a------ C:\WINDOWS\System32\mstext40.dll
2007-04-16 17:48:13 552989 --a------ C:\WINDOWS\System32\msrepl40.dll
2007-04-16 17:48:13 348189 --a------ C:\WINDOWS\System32\mspbde40.dll
2007-04-16 17:48:13 241693 --a------ C:\WINDOWS\System32\msjtes40.dll
2007-04-16 17:48:13 172061 --a------ C:\WINDOWS\System32\msjint40.dll
2007-04-16 17:48:13 358976 --a------ C:\WINDOWS\System32\msjetoledb40.dll
2007-04-16 17:48:13 1507356 --a------ C:\WINDOWS\System32\msjet40.dll
2007-04-16 17:48:13 319517 --a------ C:\WINDOWS\System32\msexcl40.dll
2007-04-16 17:48:13 512029 --a------ C:\WINDOWS\System32\msexch40.dll
2007-04-16 17:48:12 831519 --a------ C:\WINDOWS\System32\mswdat10.dll
2007-04-16 17:48:12 315423 --a------ C:\WINDOWS\System32\msrd3x40.dll
2007-04-16 17:48:12 421919 --a------ C:\WINDOWS\System32\msrd2x40.dll
2007-04-16 17:48:12 53279 --a------ C:\WINDOWS\System32\msjter40.dll
2007-04-16 17:48:12 380957 --a------ C:\WINDOWS\System32\expsrv.dll
2007-04-16 17:48:11 213023 --a------ C:\WINDOWS\System32\msltus40.dll
2007-04-16 17:34:46 227840 --a------ C:\WINDOWS\System32\srrstr.dll
2007-04-16 16:29:21 173568 --a------ C:\WINDOWS\System32\schedsvc.dll
2007-04-16 16:29:21 10752 --a------ C:\WINDOWS\System32\mstinit.exe
2007-04-16 16:29:21 263680 --a------ C:\WINDOWS\System32\mstask.dll
2007-04-16 02:18:22 32256 --a------ C:\WINDOWS\System32\msgsvc.dll
2007-04-15 13:34:52 0 d-------- C:\WINDOWS\Sun
2007-04-15 00:20:56 26694 --a------ C:\WINDOWS\System32\xxyvvvu.dll
– Find3M Report ---------------------------------------------------------------
2007-05-15 23:22:59 0 d-------- C:\Program Files\Wanadoo
2007-05-15 23:13:41 0 --a------ C:\WINDOWS\gmer.reg
2007-05-09 20:00:42 0 d-------- C:\Program Files\Mozilla Firefox
2007-05-07 17:20:02 0 d—s---- C:\Documents and Settings\Andziulkaa\Dane aplikacji\Microsoft
2007-05-01 23:29:25 0 d-------- C:\Program Files\Common Files\Adobe
2007-05-01 23:29:24 0 d-------- C:\Documents and Settings\Andziulkaa\Dane aplikacji\Adobe
2007-04-29 19:50:14 2508 --a------ C:\Documents and Settings\Andziulkaa\Dane aplikacji$_hpcst$.hpc
2007-04-21 19:39:22 0 d-------- C:\Documents and Settings\Andziulkaa\Dane aplikacji\COWON
2007-04-15 13:34:52 0 d-------- C:\Documents and Settings\Andziulkaa\Dane aplikacji\Sun
2007-04-14 21:38:44 26694 --a------ C:\WINDOWS\System32\opnoopq.dll
2007-04-14 20:54:32 26694 --a------ C:\WINDOWS\System32\ssqpppp.dll
2007-04-14 20:22:12 0 d-------- C:\Program Files\Messenger
2007-04-14 19:59:54 26694 --a------ C:\WINDOWS\System32\yayvtrp.dll
2007-04-14 19:29:56 456564 —hs---- C:\WINDOWS\System32\pqstv.bak1
2007-04-14 19:29:47 280676 —hs---- C:\WINDOWS\System32\vtsqp.dll
2007-04-14 19:24:35 26694 --a------ C:\WINDOWS\System32\ljjkigf.dll
2007-04-14 00:52:01 0 d-------- C:\Program Files\Java
2007-04-14 00:43:46 0 d-------- C:\Program Files\Common Files\Java
2007-04-14 00:12:16 1156 --a------ C:\WINDOWS\mozver.dat
2007-04-13 22:10:03 0 d-------- C:\Documents and Settings\Andziulkaa\Dane aplikacji\Lavasoft
2007-04-13 21:55:56 26694 --a------ C:\WINDOWS\System32\xxyvwwx.dll
2007-04-13 21:44:50 26694 --a------ C:\WINDOWS\System32\byxvspo.dll
2007-04-13 21:37:23 26694 --a------ C:\WINDOWS\System32\fccdedb.dll
2007-04-13 21:29:39 26694 --a------ C:\WINDOWS\System32\urqolml.dll
2007-04-13 21:02:25 26694 --a------ C:\WINDOWS\System32\rqrsrpp.dll
2007-04-13 20:51:47 26694 --a------ C:\WINDOWS\System32\tuvwtur.dll
2007-04-13 20:38:46 26694 --a------ C:\WINDOWS\System32\vtuspqo.dll
2007-04-13 20:09:09 26694 --a------ C:\WINDOWS\System32\gebawvs.dll
2007-04-13 19:18:55 26694 --a------ C:\WINDOWS\System32\ddcaxuv.dll
2007-04-13 17:41:38 26694 --a------ C:\WINDOWS\System32\wvusspp.dll
2007-04-13 17:27:12 26694 --a------ C:\WINDOWS\System32\fccyvvw.dll
2007-04-13 17:09:46 26694 --a------ C:\WINDOWS\System32\awttrsr.dll
2007-04-13 16:45:39 26694 --a------ C:\WINDOWS\System32\qomjhih.dll
2007-04-13 16:27:17 26694 --a------ C:\WINDOWS\System32\fccyaab.dll
2007-04-13 15:21:08 26694 --a------ C:\WINDOWS\System32\ddcdbbx.dll
2007-04-13 15:14:15 26694 --a------ C:\WINDOWS\System32\jkkhhii.dll
2007-04-12 22:00:21 0 --a------ C:\WINDOWS\nsreg.dat
2007-04-12 22:00:11 0 d-------- C:\Documents and Settings\Andziulkaa\Dane aplikacji\Mozilla
2007-04-12 18:05:15 26694 --a------ C:\WINDOWS\System32\rqrolll.dll
2007-04-11 18:16:03 0 d-------- C:\Documents and Settings\Andziulkaa\Dane aplikacji\PC Tools
2007-04-11 17:14:07 0 d-------- C:\Documents and Settings\Andziulkaa\Dane aplikacji\Macromedia
2007-04-11 15:32:59 0 d-------- C:\Program Files\SkanerOnline
2007-04-11 15:09:32 0 d-------- C:\Program Files\Common Files\ODBC
2007-04-11 15:09:29 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-04-11 15:09:10 62 --ahs---- C:\Documents and Settings\Andziulkaa\Dane aplikacji\desktop.ini
2007-04-11 14:50:27 0 d–h----- C:\Program Files\InstallShield Installation Information
2007-04-11 14:50:26 0 d-------- C:\Program Files\SAGEM
2007-04-11 14:50:25 0 d-------- C:\Program Files\Common Files\InstallShield
2007-04-11 14:50:09 0 d-------- C:\Program Files\JavaSoft
2007-04-11 14:48:08 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2007-04-11 14:46:25 0 d-------- C:\Program Files\Gadu-Gadu
2007-04-11 14:42:28 0 d-------- C:\Program Files\Alwil Software
2007-04-11 14:31:26 0 d-------- C:\Program Files\MarBit
2007-04-11 14:31:06 0 d-------- C:\Program Files\Vplayer
2007-04-11 14:30:02 0 d-------- C:\Program Files\MCS Studios
2007-04-11 14:27:19 355486 --a------ C:\WINDOWS\System32\perfh015.dat
2007-04-11 14:27:19 49492 --a------ C:\WINDOWS\System32\perfc015.dat
2007-04-11 14:26:39 0 d-------- C:\Program Files\C-Media 3D Audio
2007-04-11 14:25:03 0 d-------- C:\Program Files\Ahead
2007-04-11 14:22:07 0 d-------- C:\Documents and Settings\Andziulkaa\Dane aplikacji\Identities
2007-04-11 14:17:57 0 d-------- C:\Program Files\microsoft frontpage
2007-04-11 14:17:35 0 -rahs---- C:\MSDOS.SYS
2007-04-11 14:17:35 0 -rahs---- C:\IO.SYS
2007-04-11 14:17:35 0 --a------ C:\CONFIG.SYS
2007-04-11 14:17:35 0 --a------ C:\AUTOEXEC.BAT
2007-04-11 14:16:04 0 d-------- C:\Program Files\Movie Maker
2007-04-11 14:15:39 0 d-------- C:\Program Files\Common Files\MSSoap
2007-04-11 14:14:52 21856 --a------ C:\WINDOWS\System32\emptyregdb.dat
2007-04-11 14:14:32 0 d–h----- C:\Program Files\WindowsUpdate
2007-04-11 14:14:32 0 d-------- C:\Program Files\Usługi online
2007-04-11 14:14:22 0 d-------- C:\Program Files\MSN Gaming Zone
2007-04-11 14:14:20 0 d-------- C:\Program Files\Windows NT
2007-03-15 12:00:36 466432 --a------ C:\WINDOWS\System32\SkanerOnline.dll
– Registry Dump ---------------------------------------------------------------
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“Spyware Doctor”="“D:\Spyware Doctor\swdoctor.exe” /Q"
“PC Firewall”=“C:\Program Files\MCS Studios\PC Firewall\pcfw.exe”
“MSMSGS”="“C:\Program Files\Messenger\MSMSGS.EXE” /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“NeroCheck”=“C:\WINDOWS\System32\\NeroCheck.exe”
“HTpatch”=“C:\WINDOWS\htpatch.exe”
“SiSUSBRG”=“C:\WINDOWS\SiSUSBrg.exe”
“Cmaudio”=“RunDll32 cmicnfg.cpl,CMICtrlWnd”
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe”
“autoclk”=“autoclk.exe”
“WOOWATCH”=“C:\PROGRA~1\Wanadoo\Watch.exe”
“WOOTASKBARICON”=“C:\PROGRA~1\Wanadoo\TaskbarIcon.exe”
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe”
“WindowsUpdate”=“rundll32.exe “C:\WINDOWS\System32\oqbgdcfe.dll”,realset”
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
“Installed”=“1”
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
“Installed”=“1”
“NoChange”=“1”
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
“Installed”=“1”
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{2354A369-FB71-4D46-AE6D-701001F6D987}”=""
“{AFC9BF99-BFD7-4CCA-9D5E-025A63757211}”=""
[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE”
“Spyware Doctor”="“D:\Spyware Doctor\swdoctor.exe” /Q"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE”
“Spyware Doctor”="“D:\Spyware Doctor\swdoctor.exe” /Q"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjkigf
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqp
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
“SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll”
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_SISPORT
– End of ComboScan: finished at 2007-05-15 at 23:31:10 ------------------------
__________________-
LOG Z SILENT Runners:
“Silent Runners.vbs”, revision 45, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by “{++}”
Startup items buried in registry:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
“Spyware Doctor” = ““D:\Spyware Doctor\swdoctor.exe” /Q” [“PC Tools Research Pty Ltd”]
“PC Firewall” = “C:\Program Files\MCS Studios\PC Firewall\pcfw.exe” [“MCS Studios (http://www.mcsstudios.com)”]
“MSMSGS” = ““C:\Program Files\Messenger\MSMSGS.EXE” /background” [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
“NeroCheck” = “C:\WINDOWS\System32\NeroCheck.exe” [“Ahead Software Gmbh”]
“HTpatch” = “C:\WINDOWS\htpatch.exe” [null data]
“SiSUSBRG” = “C:\WINDOWS\SiSUSBrg.exe” [“Silicon Integrated Systems Corp.”]
“Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS]
“avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data]
“autoclk” = “autoclk.exe” [empty string]
“WOOWATCH” = “C:\PROGRA~1\Wanadoo\Watch.exe” [“France Télécom R&D”]
“WOOTASKBARICON” = “C:\PROGRA~1\Wanadoo\TaskbarIcon.exe” [“France Télécom R&D”]
“SunJavaUpdateSched” = “C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [“Sun Microsystems, Inc.”]
“WindowsUpdate” = “rundll32.exe “C:\WINDOWS\System32\oqbgdcfe.dll”,realset” [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
-> {HKLM…CLSID} = “AcroIEHlprObj Class”
\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]
{1D65844C-DDB4-4D90-9407-C65C6C6F8200}(Default) = (no title provided)
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\WINDOWS\System32\vtsqp.dll” [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM…CLSID} = “SSVHelper Class”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”]
{8E503101-9244-4823-8EF2-3257F018DA3b}(Default) = (no title provided)
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\WINDOWS\System32\jofgshmq.dll” [file not found]
{AFC9BF99-BFD7-4CCA-9D5E-025A63757211}(Default) = (no title provided)
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\WINDOWS\System32\ljjkigf.dll” [null data]
{E2EE5C44-C66D-499d-BEAE-A2A79189A63A}(Default) = (no title provided)
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\WINDOWS\System32\kefcgjoo.dll” [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”
-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”
\InProcServer32(Default) = “deskpan.dll” [file not found]
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”
-> {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]
“{472083B0-C522-11CF-8763-00608CC02F24}” = “avast”
-> {HKLM…CLSID} = “avast”
\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]
“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\WinRAR\rarext.dll” [null data]
“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler”
-> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”
\InProcServer32(Default) = “D:\MICROS~1\OFFICE11\OLKFSTUB.DLL” [MS]
“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “D:\Microsoft Office\OFFICE11\msohev.dll” [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! “{AFC9BF99-BFD7-4CCA-9D5E-025A63757211}” = “*” (unwritable string)
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\WINDOWS\System32\ljjkigf.dll” [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! crypt\DLLName = “crypts.dll” [file not found]
INFECTION WARNING! ljjkigf\DLLName = “ljjkigf.dll” [null data]
INFECTION WARNING! vtsqp\DLLName = “C:\WINDOWS\System32\vtsqp.dll” [null data]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS]
HKLM\Software\Classes*\shellex\ContextMenuHandlers\
avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”
-> {HKLM…CLSID} = “avast”
\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\WinRAR\rarext.dll” [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\WinRAR\rarext.dll” [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”
-> {HKLM…CLSID} = “avast”
\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\WinRAR\rarext.dll” [null data]
Active Desktop and Wallpaper:
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
“Wallpaper” = “C:\Documents and Settings\Andziulkaa\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
“SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS]
Startup items in “Andziulkaa” & “All Users” startup folders:
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
“DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W” [empty string]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
“MenuText” = “Sun Java Console”
“CLSIDExtension” = “{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}”
-> {HKCU…CLSID} = “Java Plug-in”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”]
-> {HKLM…CLSID} = “Java Plug-in 1.5.0_06”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll” [“Sun Microsystems, Inc.”]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
“ButtonText” = “Badanie”
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
“ButtonText” = “Messenger”
“MenuText” = “Windows Messenger”
“Exec” = “C:\Program Files\Messenger\MSMSGS.EXE” [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data]
avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data]
avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”]
avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”]
PC Tools Spyware Doctor, SDhelper, “D:\Spyware Doctor\sdhelp.exe” [“PC Tools Research Pty Ltd”]
Print Monitors:
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS]
-
This report excludes default entries except where indicated.
-
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
- To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer “No” at the first message box.
---------- (total run time: 752 seconds, including 6 seconds for message boxes)