Wolny komputer i wirusy


(Misiek1987) #1
Logfile of HijackThis v1.99.1

Scan saved at 13:30:19, on 2007-03-01

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system\icrss.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

C:\WINDOWS\System32\mmp.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Neostrada TP\NeostradaTP.exe

C:\Program Files\Neostrada TP\ComComp.exe

C:\Program Files\Neostrada TP\Watch.exe

C:\Program Files\Skype\Plugin Manager\SkypePM.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\qqweqw\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eu.microsoft.com/poland/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL

O2 - BHO: InstaFinder_K - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL

O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll

O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Program Files\RXToolBar\RXToolBar.dll

O4 - HKLM\..\Run: [internat.exe] internat.exe

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [Microsoft Security Monitor Process] mmp.exe

O4 - HKLM\..\Run: [FrameWork 2.5] FrameWork.exe

O4 - HKLM\..\Run: [Windows modez Verifier] nmsn.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\efes.exe

O4 - HKLM\..\Run: [wdmgrr.exe] C:\WINDOWS\System32\wdmgr.exe

O4 - HKLM\..\RunServices: [Microsoft Security Monitor Process] mmp.exe

O4 - HKLM\..\RunServices: [FrameWork 2.5] FrameWork.exe

O4 - HKLM\..\RunServices: [Windows modez Verifier] nmsn.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O8 - Extra context menu item: &Search - http://kn.bar.need2find.com/KN/menusearch.html?p=KN

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FLASHGET\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FLASHGET\jc_link.htm

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe

O16 - DPF: Win32 Classes - 

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - 

O17 - HKLM\System\CCS\Services\Tcpip\..\{9A6B6442-4363-4202-8751-DAA395BBA993}: NameServer = 194.204.159.1 217.98.63.164

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll

O20 - Winlogon Notify: bt848rom - C:\WINDOWS\SYSTEM32\bt848rom.dll

O23 - Service: icrss manager 32bit (icrss) - Unknown owner - C:\WINDOWS\system\icrss.exe

O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)

O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)

O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z o.o."]

"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"internat.exe" = "internat.exe" [file not found]

"SystemTray" = "SysTray.Exe" [MS]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"NeroCheck" = "C:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [empty string]

"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]

"WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom R&D"]

"WOOTASKBARICON" = "C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" ["France Télécom R&D"]

"P2P Networking" = "C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART" ["Joltid Ltd."]

"Microsoft Security Monitor Process" = "mmp.exe" [null data]

"FrameWork 2.5" = "FrameWork.exe" [file not found]

"Windows modez Verifier" = "nmsn.exe" [file not found]

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"Anti-Virus Update Scheduler" = "C:\efes.exe" [null data]

"wdmgrr.exe" = "C:\WINDOWS\System32\wdmgr.exe" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{4D1C4E81-A32A-416b-BCDB-33B3EF3617D3}\(Default) = "Need2Find Bar BHO"

  -> {HKLM...CLSID} = "Need2Find Bar BHO"

                   \InProcServer32\(Default) = "C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL" ["Need2Find"]

{4E7BD74F-2B8D-469E-90F0-F66AB581A933}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "InstaFinder_K"

                   \InProcServer32\(Default) = "C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL" [empty string]

{59879FA4-4790-461c-A1CC-4EC4DE4CA483}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "RXResultTracker Class"

                   \InProcServer32\(Default) = "C:\Program Files\RXToolBar\sfcont.dll" [empty string]

{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "IeCatch2 Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FLASHGET\jccatch.dll" ["Amaze Soft"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band"

  -> {HKLM...CLSID} = "Menu Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu"

  -> {HKLM...CLSID} = "Tracking Shell Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site"

  -> {HKLM...CLSID} = "Menu Site"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar"

  -> {HKLM...CLSID} = "Menu Desk Bar"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"

  -> {HKLM...CLSID} = "IShellFolderBand"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "Łą&cza"

  -> {HKLM...CLSID} = "Łą&cza"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image"

  -> {HKLM...CLSID} = "Thumbnail Image"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

<> "System" = "kdllx.exe" [null data]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> bt848rom\DLLName = "bt848rom.dll" [**WMI GetObject error**]

<> crypt\DLLName = "crypts.dll" [null data]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/html\CLSID = "{2AB289AE-4B90-4281-B2AE-1F4BB034B647}"

  -> {HKLM...CLSID} = "RXResultFilter Class"

                   \InProcServer32\(Default) = "C:\Program Files\RXToolBar\sfcont.dll" [empty string]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\Documents and Settings\qqweqw\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\qqweqw\Dane aplikacji\Opera\Opera\profile\skin\0696bea2af2b754ff685352b8f4c8bae,8,1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]



Enabled Scheduled Tasks:

------------------------


"Rozpoczęcie aplikacji dostrajania" -> launches: "walign" [file not found]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:

%SystemRoot%\system32\mswsock.dll [MS], 1 - 3

%SystemRoot%\system32\rsvpsp.dll [MS], 4 - 5



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}"

  -> {HKLM...CLSID} = "RX Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\RXToolBar\RXToolBar.dll" [empty string]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"

  -> {HKLM...CLSID} = "FlashGet Bar"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FLASHGET\fgiebar.dll" ["Amaze Soft"]

"{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}" = "RXToolBar"

  -> {HKLM...CLSID} = "RX Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\RXToolBar\RXToolBar.dll" [empty string]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}\(Default) = "Volet Wanadoo"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]


HKLM\Software\Classes\CLSID\{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}\(Default) = "ToolBand Class"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]


HKLM\Software\Classes\CLSID\{5BF498C0-931E-4A4F-B33F-456D07137EAA}\(Default) = "Volet Wanadoo"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "&FlashGet"

"Exec" = "C:\PROGRA~1\FLASHGET\flashget.exe" ["Amaze Soft"]



Miscellaneous IE Hijack Points

------------------------------


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<> "{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)

  -> {HKLM...CLSID} = "Search Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [empty string]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


icrss manager 32bit, icrss, ""C:\WINDOWS\system\icrss.exe"" [null data]



----------

<>: Suspicious data at a malware launch point.

<>: Suspicious data at a browser hijack point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 50 seconds.

---------- (total run time: 238 seconds)

(adam9870) #2

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Start => uruchom => wpisz cmd i kliknij OK => w konsoli, która się otworzy wpisz:

W trybie awaryjnym z wyłączonym przywracaniem systemu usuń:

Pliki i foldery zaznaczone kasujesz ręcznie z dysku natomiast wpisy w HijackThis.

Dodatkowo skasuj pliki:

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Użyj narzędzia FixWareOut.

Po wykonaniu wklej komplet nowych logów:

  • [*:1x813ktp]HijackThis
    Gmer'a wykonane przy takich ustawieniach:

(Misiek1987) #3
Logfile of HijackThis v1.99.1

Scan saved at 18:48:28, on 2007-03-01

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Eset\nod32kui.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Skype\Plugin Manager\SkypePM.exe

C:\Documents and Settings\qqweqw\Ustawienia lokalne\Temp\Katalog tymczasowy 4 dla hijackthis.zip\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eu.microsoft.com/poland/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll

O4 - HKLM\..\Run: [internat.exe] internat.exe

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FLASHGET\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FLASHGET\jc_link.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z o.o."]

"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"internat.exe" = "internat.exe" [file not found]

"SystemTray" = "SysTray.Exe" [MS]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"NeroCheck" = "C:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [empty string]

"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]

"WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom R&D"]

"WOOTASKBARICON" = "C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" ["France Télécom R&D"]

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "IeCatch2 Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FLASHGET\jccatch.dll" ["Amaze Soft"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band"

  -> {HKLM...CLSID} = "Menu Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu"

  -> {HKLM...CLSID} = "Tracking Shell Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site"

  -> {HKLM...CLSID} = "Menu Site"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar"

  -> {HKLM...CLSID} = "Menu Desk Bar"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"

  -> {HKLM...CLSID} = "IShellFolderBand"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "Łą&cza"

  -> {HKLM...CLSID} = "Łą&cza"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image"

  -> {HKLM...CLSID} = "Thumbnail Image"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\Documents and Settings\qqweqw\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\qqweqw\Dane aplikacji\Opera\Opera\profile\skin\0696bea2af2b754ff685352b8f4c8bae,8,1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]



Enabled Scheduled Tasks:

------------------------


"Rozpoczęcie aplikacji dostrajania" -> launches: "walign" [file not found]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\System32\imon.dll ["Eset "], 01 - 05, 11

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"

  -> {HKLM...CLSID} = "FlashGet Bar"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FLASHGET\fgiebar.dll" ["Amaze Soft"]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}\(Default) = "Volet Wanadoo"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]


HKLM\Software\Classes\CLSID\{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}\(Default) = "ToolBand Class"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]


HKLM\Software\Classes\CLSID\{5BF498C0-931E-4A4F-B33F-456D07137EAA}\(Default) = "Volet Wanadoo"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "&FlashGet"

"Exec" = "C:\PROGRA~1\FLASHGET\flashget.exe" ["Amaze Soft"]



Miscellaneous IE Hijack Points

------------------------------


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<> "{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)

  -> {HKLM...CLSID} = "Search Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [empty string]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]



----------

<>: Suspicious data at a browser hijack point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 24 seconds.

---------- (total run time: 173 seconds)

GMER 1.0.12.12027 - http://www.gmer.net

Rootkit scan 2007-03-01 18:46:50

Windows 5.1.2600 



---- Kernel code sections - GMER 1.0.12 ----


.text ntoskrnl.exe!KeInitializeInterrupt + B79 804D4F8E 1 Byte [06]


---- EOF - GMER 1.0.12 ----

GMER 1.0.12.12027 - http://www.gmer.net

Rootkit scan 2007-03-01 18:47:49

Windows 5.1.2600 



---- Services - GMER 1.0.12 ----


Service [DISABLED] Abiosdsk

Service [DISABLED] abp480n5

Service C:\WINDOWS\System32\DRIVERS\ACPI.sys [BOOT] ACPI

Service [DISABLED] ACPIEC

Service [DISABLED] adpu160m

Service C:\WINDOWS\system32\drivers\aec.sys [MANUAL] aec

Service C:\WINDOWS\System32\drivers\afd.sys [AUTO] AFD

Service [DISABLED] Aha154x

Service [DISABLED] aic78u2

Service [DISABLED] aic78xx

Service C:\WINDOWS\System32\DRIVERS\alcan5wn.sys [MANUAL] alcan5wn

Service C:\WINDOWS\System32\DRIVERS\alcaudsl.sys [MANUAL] alcaudsl

Service C:\WINDOWS\system32\drivers\ALCXWDM.SYS [MANUAL] ALCXWDM

Service C:\WINDOWS\System32\alg.exe [MANUAL] ALG

Service [DISABLED] AliIde

Service C:\WINDOWS\system32\drivers\amon.sys [AUTO] AMON

Service [DISABLED] amsint

Service C:\WINDOWS\system32\svchost.exe [MANUAL] AppMgmt

Service [DISABLED] asc

Service [DISABLED] asc3350p

Service [DISABLED] asc3550

Service C:\WINDOWS\System32\DRIVERS\asyncmac.sys [MANUAL] AsyncMac

Service C:\WINDOWS\System32\DRIVERS\atapi.sys [BOOT] atapi

Service [DISABLED] Atdisk

Service C:\WINDOWS\System32\DRIVERS\atmarpc.sys [MANUAL] Atmarpc

Service C:\WINDOWS\System32\svchost.exe [AUTO] AudioSrv

Service C:\WINDOWS\System32\DRIVERS\audstub.sys [MANUAL] audstub

Service BattC

Service [SYSTEM] Beep

Service C:\WINDOWS\System32\svchost.exe [AUTO] BITS

Service [DISABLED] cbidf2k

Service [DISABLED] cd20xrnt

Service [SYSTEM] Cdaudio

Service [DISABLED] Cdfs

Service C:\WINDOWS\System32\DRIVERS\cdrom.sys [SYSTEM] Cdrom

Service [SYSTEM] Changer

Service C:\WINDOWS\System32\cisvc.exe [MANUAL] cisvc

Service C:\WINDOWS\system32\clipsrv.exe [MANUAL] ClipSrv

Service [DISABLED] CmdIde

Service C:\WINDOWS\System32\dllhost.exe [MANUAL] COMSysApp

Service ContentFilter

Service ContentIndex

Service [DISABLED] Cpqarray

Service C:\WINDOWS\system32\svchost.exe [AUTO] CryptSvc

Service [DISABLED] dac2w2k

Service [DISABLED] dac960nt

Service C:\WINDOWS\System32\svchost.exe [AUTO] Dhcp

Service C:\WINDOWS\System32\DRIVERS\disk.sys [BOOT] Disk

Service C:\WINDOWS\System32\dmadmin.exe [MANUAL] dmadmin

Service C:\WINDOWS\System32\drivers\dmboot.sys [DISABLED] dmboot

Service C:\WINDOWS\System32\drivers\dmio.sys [BOOT] dmio

Service C:\WINDOWS\System32\drivers\dmload.sys [BOOT] dmload

Service C:\WINDOWS\System32\svchost.exe [AUTO] dmserver

Service C:\WINDOWS\system32\drivers\DMusic.sys [MANUAL] DMusic

Service C:\WINDOWS\System32\svchost.exe [AUTO] Dnscache

Service [DISABLED] dpti2o

Service C:\WINDOWS\system32\drivers\drmkaud.sys [MANUAL] drmkaud

Service C:\WINDOWS\System32\svchost.exe [AUTO] ERSvc

Service C:\WINDOWS\system32\services.exe [AUTO] Eventlog

Service C:\WINDOWS\System32\svchost.exe [MANUAL] EventSystem

Service [DISABLED] Fastfat

Service C:\WINDOWS\System32\svchost.exe [MANUAL] FastUserSwitchingCompatibility

Service C:\WINDOWS\System32\DRIVERS\fdc.sys [MANUAL] Fdc

Service [SYSTEM] Fips

Service C:\WINDOWS\System32\DRIVERS\flpydisk.sys [MANUAL] Flpydisk

Service [SYSTEM] Fs_Rec

Service C:\WINDOWS\System32\DRIVERS\ftdisk.sys [BOOT] Ftdisk

Service C:\WINDOWS\System32\DRIVERS\gmer.sys [MANUAL] gmer

Service E:\INSTALL\GMSIPCI.SYS [MANUAL] GMSIPCI

Service C:\WINDOWS\System32\DRIVERS\msgpc.sys [MANUAL] Gpc

Service C:\WINDOWS\System32\svchost.exe [AUTO] helpsvc

Service C:\WINDOWS\System32\svchost.exe [DISABLED] HidServ

Service C:\WINDOWS\System32\DRIVERS\hidusb.sys [MANUAL] hidusb

Service [DISABLED] hpn

Service [DISABLED] hpt3xx

Service [SYSTEM] i2omgmt

Service [DISABLED] i2omp

Service C:\WINDOWS\System32\DRIVERS\i8042prt.sys [SYSTEM] i8042prt

Service [SYSTEM] Imapi

Service C:\WINDOWS\System32\imapi.exe [MANUAL] ImapiService

Service inetaccs

Service [DISABLED] ini910u

Service Inport

Service [DISABLED] IntelIde

Service C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys [MANUAL] IpFilterDriver

Service C:\WINDOWS\System32\DRIVERS\ipinip.sys [MANUAL] IpInIp

Service C:\WINDOWS\System32\DRIVERS\ipnat.sys [MANUAL] IpNat

Service C:\WINDOWS\System32\DRIVERS\ipsec.sys [SYSTEM] IPSec

Service C:\WINDOWS\System32\DRIVERS\irenum.sys [MANUAL] IRENUM

Service ISAPISearch

Service C:\WINDOWS\System32\DRIVERS\isapnp.sys [BOOT] isapnp

Service [SYSTEM] k53lock

Service C:\WINDOWS\System32\DRIVERS\kbdclass.sys [SYSTEM] Kbdclass

Service C:\WINDOWS\system32\drivers\kmixer.sys [MANUAL] kmixer

Service [BOOT] KSecDD

Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanserver

Service lanmanworkstation

Service [SYSTEM] lbrtfdc

Service ldap

Service LicenseService

Service C:\WINDOWS\System32\svchost.exe [AUTO] LmHosts

Service [DISABLED] Messenger

Service [SYSTEM] mnmdd

Service C:\WINDOWS\System32\mnmsrvc.exe [MANUAL] mnmsrvc

Service [MANUAL] Modem

Service C:\WINDOWS\System32\DRIVERS\mouclass.sys [SYSTEM] Mouclass

Service C:\WINDOWS\System32\DRIVERS\mouhid.sys [MANUAL] mouhid

Service [BOOT] MountMgr

Service [DISABLED] mraid35x

Service C:\WINDOWS\System32\DRIVERS\mrxdav.sys [MANUAL] MRxDAV

Service C:\WINDOWS\System32\msdtc.exe [MANUAL] MSDTC

Service [SYSTEM] Msfs

Service C:\WINDOWS\System32\msiexec.exe [MANUAL] MSIServer

Service C:\WINDOWS\system32\drivers\MSKSSRV.sys [MANUAL] MSKSSRV

Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys [MANUAL] MSPCLOCK

Service C:\WINDOWS\system32\drivers\MSPQM.sys [MANUAL] MSPQM

Service [BOOT] Mup

Service [BOOT] NDIS

Service C:\WINDOWS\System32\DRIVERS\ndistapi.sys [MANUAL] NdisTapi

Service C:\WINDOWS\System32\DRIVERS\ndisuio.sys [MANUAL] Ndisuio

Service C:\WINDOWS\System32\DRIVERS\ndiswan.sys [MANUAL] NdisWan

Service [MANUAL] NDProxy

Service C:\WINDOWS\System32\DRIVERS\netbt.sys [SYSTEM] NetBT

Service C:\WINDOWS\system32\netdde.exe [MANUAL] NetDDE

Service C:\WINDOWS\system32\netdde.exe [MANUAL] NetDDEdsdm

Service Netlogon

Service C:\WINDOWS\System32\svchost.exe [MANUAL] Netman

Service C:\WINDOWS\System32\svchost.exe [MANUAL] Nla

Service C:\WINDOWS\system32\drivers\nod32drv.sys [SYSTEM] nod32drv

Service C:\Program Files\Eset\nod32krn.exe [AUTO] NOD32krn

Service [SYSTEM] Npfs

Service E:\NTACCESS.sys [MANUAL] NTACCESS

Service [DISABLED] Ntfs

Service C:\WINDOWS\system32\svchost.exe [MANUAL] NtmsSvc

Service [SYSTEM] Null

Service C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [MANUAL] nv

Service nv4

Service C:\WINDOWS\System32\nvsvc32.exe [AUTO] NVSvc

Service C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys [MANUAL] NwlnkFlt

Service C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys [MANUAL] NwlnkFwd

Service C:\WINDOWS\System32\DRIVERS\parport.sys [MANUAL] Parport

Service [BOOT] PartMgr

Service [AUTO] ParVdm

Service C:\WINDOWS\System32\DRIVERS\pci.sys [BOOT] PCI

Service [SYSTEM] PCIDump

Service [DISABLED] PCIIde

Service [DISABLED] Pcmcia

Service [MANUAL] PDCOMP

Service [MANUAL] PDFRAME

Service [MANUAL] PDRELI

Service [MANUAL] PDRFRAME

Service [DISABLED] perc2

Service [DISABLED] perc2hib

Service PerfDisk

Service PerfNet

Service PerfOS

Service PerfProc

Service C:\WINDOWS\system32\services.exe [AUTO] PlugPlay

Service C:\WINDOWS\System32\lsass.exe [AUTO] PolicyAgent

Service C:\WINDOWS\System32\DRIVERS\raspptp.sys [MANUAL] PptpMiniport

Service C:\WINDOWS\System32\DRIVERS\processr.sys [SYSTEM] Processor

Service C:\WINDOWS\system32\lsass.exe [AUTO] ProtectedStorage

Service C:\WINDOWS\System32\DRIVERS\ptilink.sys [MANUAL] Ptilink

Service C:\WINDOWS\System32\Drivers\PxHelp20.sys [BOOT] PxHelp20

Service [DISABLED] ql1080

Service [DISABLED] Ql10wnt

Service [DISABLED] ql12160

Service [DISABLED] ql1240

Service [DISABLED] ql1280

Service C:\WINDOWS\System32\DRIVERS\rasacd.sys [SYSTEM] RasAcd

Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasAuto

Service C:\WINDOWS\System32\DRIVERS\rasl2tp.sys [MANUAL] Rasl2tp

Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasMan

Service C:\WINDOWS\System32\DRIVERS\raspppoe.sys [MANUAL] RasPppoe

Service C:\WINDOWS\System32\DRIVERS\raspti.sys [MANUAL] Raspti

Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [SYSTEM] RDPCDD

Service RDPDD

Service C:\WINDOWS\System32\DRIVERS\rdpdr.sys [MANUAL] rdpdr

Service RDPNP

Service [MANUAL] RDPWD

Service C:\WINDOWS\system32\sessmgr.exe [MANUAL] RDSessMgr

Service C:\WINDOWS\System32\DRIVERS\redbook.sys [SYSTEM] redbook

Service C:\WINDOWS\System32\svchost.exe [DISABLED] RemoteAccess

Service C:\WINDOWS\system32\svchost.exe [DISABLED] RemoteRegistry

Service C:\WINDOWS\system32\svchost.exe [AUTO] RpcSs

Service C:\WINDOWS\System32\rsvp.exe [MANUAL] RSVP

Service C:\WINDOWS\system32\lsass.exe [AUTO] SamSs

Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardDrv

Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardSvr

Service C:\WINDOWS\System32\svchost.exe [AUTO] Schedule

Service C:\WINDOWS\System32\DRIVERS\secdrv.sys [AUTO] Secdrv

Service C:\WINDOWS\System32\svchost.exe [AUTO] seclogon

Service C:\WINDOWS\system32\svchost.exe [AUTO] SENS

Service C:\WINDOWS\System32\DRIVERS\serenum.sys [MANUAL] serenum

Service C:\WINDOWS\System32\DRIVERS\serial.sys [SYSTEM] Serial

Service E:\NTGLM7X.sys [MANUAL] SetupNTGLM7X

Service [SYSTEM] Sfloppy

Service C:\WINDOWS\System32\svchost.exe [AUTO] SharedAccess

Service C:\WINDOWS\System32\svchost.exe [AUTO] ShellHWDetection

Service [DISABLED] Simbad

Service [DISABLED] Sparrow

Service C:\WINDOWS\system32\drivers\splitter.sys [MANUAL] splitter

Service C:\WINDOWS\system32\spoolsv.exe [AUTO] Spooler

Service C:\WINDOWS\System32\DRIVERS\sr.sys [DISABLED] sr

Service C:\WINDOWS\System32\svchost.exe [AUTO] srservice

Service C:\WINDOWS\System32\DRIVERS\srv.sys [MANUAL] Srv

Service C:\WINDOWS\System32\svchost.exe [MANUAL] SSDPSRV

Service C:\WINDOWS\System32\svchost.exe [AUTO] stisvc

Service C:\WINDOWS\System32\DRIVERS\swenum.sys [MANUAL] swenum

Service C:\WINDOWS\system32\drivers\swmidi.sys [MANUAL] swmidi

Service C:\WINDOWS\System32\dllhost.exe [MANUAL] SwPrv

Service [DISABLED] symc810

Service [DISABLED] symc8xx

Service [DISABLED] sym_hi

Service [DISABLED] sym_u3

Service C:\WINDOWS\system32\drivers\sysaudio.sys [MANUAL] sysaudio

Service C:\WINDOWS\system32\smlogsvc.exe [MANUAL] SysmonLog

Service C:\WINDOWS\System32\svchost.exe [MANUAL] TapiSrv

Service C:\WINDOWS\System32\DRIVERS\tcpip.sys [SYSTEM] Tcpip

Service [MANUAL] TDPIPE

Service [MANUAL] TDTCP

Service C:\WINDOWS\System32\DRIVERS\termdd.sys [SYSTEM] TermDD

Service C:\WINDOWS\System32\svchost.exe [MANUAL] TermService

Service C:\WINDOWS\System32\svchost.exe [AUTO] Themes

Service C:\WINDOWS\System32\tlntsvr.exe [DISABLED] TlntSvr

Service [DISABLED] TosIde

Service C:\WINDOWS\system32\svchost.exe [AUTO] TrkWks

Service TSDDD

Service [DISABLED] Udfs

Service [DISABLED] ultra

Service [AUTO] UMWdf

Service C:\WINDOWS\System32\DRIVERS\update.sys [MANUAL] Update

Service C:\WINDOWS\System32\svchost.exe [AUTO] uploadmgr

Service C:\WINDOWS\System32\svchost.exe [MANUAL] upnphost

Service C:\WINDOWS\System32\ups.exe [MANUAL] UPS

Service usb

Service C:\WINDOWS\System32\DRIVERS\usbhub.sys [MANUAL] usbhub

Service C:\WINDOWS\System32\DRIVERS\usbscan.sys [MANUAL] usbscan

Service C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [MANUAL] USBSTOR

Service C:\WINDOWS\System32\DRIVERS\usbuhci.sys [MANUAL] usbuhci

Service C:\WINDOWS\System32\drivers\vga.sys [SYSTEM] VgaSave

Service C:\WINDOWS\System32\DRIVERS\viaagp1.sys [BOOT] viaagp1

Service C:\WINDOWS\System32\DRIVERS\viaidexp.sys [BOOT] ViaIde

Service [BOOT] VolSnap

Service C:\WINDOWS\System32\vssvc.exe [MANUAL] VSS

Service C:\WINDOWS\System32\svchost.exe [AUTO] W32Time

Service W3SVC

Service C:\WINDOWS\System32\DRIVERS\wanarp.sys [MANUAL] Wanarp

Service [MANUAL] WDICA

Service C:\WINDOWS\system32\drivers\wdmaud.sys [MANUAL] wdmaud

Service C:\WINDOWS\System32\svchost.exe [AUTO] WebClient

Service C:\WINDOWS\system32\svchost.exe [AUTO] winmgmt

Service [MANUAL] Winsock

Service WinSock2

Service WinTrust

Service C:\WINDOWS\System32\svchost.exe [MANUAL] WmdmPmSN

Service C:\WINDOWS\System32\svchost.exe [MANUAL] Wmi

Service WmiApRpl

Service C:\WINDOWS\System32\wbem\wmiapsrv.exe [MANUAL] WmiApSrv

Service C:\WINDOWS\System32\drivers\ws2ifsl.sys [MANUAL] WS2IFSL

Service [DISABLED] wscsvc

Service C:\WINDOWS\system32\svchost.exe [DISABLED] wuauserv

Service C:\WINDOWS\System32\svchost.exe [AUTO] WZCSVC


---- EOF - GMER 1.0.12 ----

Fixwareout Last edited 2/11/2007

Post this report in the forums please 

...

»»»»»Prerun check

HKLM\SOFTWARE\~\Winlogon\ "System"="kdllx.exe"


»»»»» System restarted


»»»»» Postrun check 

HKLM\SOFTWARE\~\Winlogon\ "system"="" 

....

....

»»»»» Misc files. 

....

»»»»» Checking for older varients.

....


Search five digit cs, dm, kd, jb, other, files.

The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection. 




Click browse, find the file then click submit.

http://www.virustotal.com/flash/index_en.html

Or http://virusscan.jotti.org/


»»»»» Other




»»»»» Current runs 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"internat.exe"="internat.exe"

"SystemTray"="SysTray.Exe"

"SoundMan"="SOUNDMAN.EXE"

"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"

"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

"nwiz"="nwiz.exe /install"

"WooCnxMon"="C:\\PROGRA~1\\NEOSTR~1\\CnxMon.exe"

"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"

"WOOWATCH"="C:\\PROGRA~1\\NEOSTR~1\\Watch.exe"

"WOOTASKBARICON"="C:\\PROGRA~1\\NEOSTR~1\\TaskbarIcon.exe"

"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"

"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"

"Gadu-Gadu"="\"C:\\Program Files\\Gadu-Gadu\\gg.exe\" /tray"

"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

....

Hosts file was reset, If you use a custom hosts file please replace it

»»»»» End report »»»»»

(adam9870) #4

W logach widzę tylko:

W Gmerze w zakładce CMD z zaznaczoną opcją CMD.EXE wklej:

I kliknij na Uruchom. Po chwilce komputer powinien się zrestartować.

Przeskanuj system narzędziem HaxFix.