pysiul86
(Olga86)
2 Sierpień 2008 13:46
#1
Witam mam kolejny problem z komputerem, mam oczywiście nadzieje ze mogę liczyć na wasz pomoc bo to jest bardzo dla mnie ważne, u szwagierki na komputerze pojawił sie jakiś spory wirus komputerowy, nie wiem doklanie jak sie tutaj dostał ale chyba na pendrive, na tym pendrivie także jest wirus komputerowy, ponieważ ostatnio zawirusowałem swój komputer.
Komputer ma ciągle zawieszki, nie wiem dlaczego ale bardzo długo się wyłącza i oczywiście dysk tak jak by spowalniał, występują od czasu do czasu także jakieś błędy.
Pendrive jest także zawirusowany i chciałbym abyście mi pomogli to odwirusować wszystko, zamieszczam na sam początek 2 logi z HJ oraz SR.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:37:30, on 2008-08-02 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\WINDOWS\system32\temp1.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe C:\Program Files\AdVantage\AdVantage.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Szczypkowska Kasia\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Nokia.PCSync] “C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe” /NoDialog O4 - HKCU…\Run: [PC Suite Tray] “C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe” -onlytray O4 - HKCU…\Run: [AdVantage] “C:\Program Files\AdVantage\AdVantage.exe” O4 - HKCU…\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O17 - HKLM\System\CCS\Services\Tcpip…{3184D0E3-C432-47A9-A952-380FE16BE71C}: NameServer = 194.204.159.1 217.98.63.164 O17 - HKLM\System\CS1\Services\Tcpip…{3184D0E3-C432-47A9-A952-380FE16BE71C}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe – End of file - 4334 bytes
“Silent Runners.vbs”, revision 58, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Nokia.PCSync” = ““C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe” /NoDialog” [“Time Information Services Ltd.”] “PC Suite Tray” = ““C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe” -onlytray” [“Nokia”] “AdVantage” = ““C:\Program Files\AdVantage\AdVantage.exe”” [“AdVantage”] “Picasa Media Detector” = “C:\Program Files\Picasa2\PicasaMediaDetector.exe” [“Google Inc.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”] “Adobe Reader Speed Launcher” = ““C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”” [“Adobe Systems Incorporated”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}(Default) = “Ask Search Assistant BHO” -> {HKLM…CLSID} = “Ask Search Assistant BHO” \InProcServer32(Default) = “C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL” [“Ask.com ”] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}(Default) = “Ask Toolbar BHO” -> {HKLM…CLSID} = “Ask Toolbar BHO” \InProcServer32(Default) = “C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL” [“Ask.com ”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{3028902F-6374-48b2-8DC6-9725E775B926}” = “IE Microsoft AutoComplete” -> {HKLM…CLSID} = “IE Microsoft AutoComplete” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band” -> {HKLM…CLSID} = “History Band” \InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~1\Office\OLKFSTUB.DLL” [MS] “{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “Nokia Phone Browser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 7\phonebrowser.dll” [“Nokia”] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Szczypkowska Kasia\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ BSMediaPlayerOnArrival\ “Provider” = “BearShare” “ProgID” = “BearShare.LauncherEventHandler” HKLM\SOFTWARE\Classes\BearShare.LauncherEventHandler\CLSID(Default) = “{A7A4A19A-00AC-473c-8225-1B97D1FDD43E}” -> {HKLM…CLSID} = “CLauncherEventHandler Object” \LocalServer32(Default) = ““C:\PROGRA~1\BEARSH~1\BEARSH~1\LAUNCHER.EXE”” [“MusicLab LLC”] BSPlayCDAudioOnArrival\ “Provider” = “BearShare” “InvokeProgID” = “BearShare.AudioCD” “InvokeVerb” = “play” HKLM\SOFTWARE\Classes\BearShare.AudioCD\shell\play\Command(Default) = “C:\PROGRA~1\BEARSH~1\BEARSH~1\BearShare.exe --playdrive %L” [“MusicLab, LLC”] BSplayerCDDA\ “Provider” = “BSplayer multimedia player” “InvokeProgID” = “BSP.plist” “InvokeVerb” = “play” HKCU\Software\Classes\BSP.plist\shell\play\command(Default) = “C:\Program Files\Webteh\BSplayer\bsplayer.exe “%L”” [“AB Team”] BSRipCDAudioOnArrival\ “Provider” = “BearShare” “InvokeProgID” = “BearShare.AudioCD” “InvokeVerb” = “rip” HKLM\SOFTWARE\Classes\BearShare.AudioCD\shell\rip\Command(Default) = “C:\PROGRA~1\BEARSH~1\BEARSH~1\BearShare.exe --ripdrive %L” [“MusicLab, LLC”] BSShowCDAudioOnArrival\ “Provider” = “BearShare” “InvokeProgID” = “BearShare.AudioCD” “InvokeVerb” = “show” HKLM\SOFTWARE\Classes\BearShare.AudioCD\shell\show\Command(Default) = “C:\PROGRA~1\BEARSH~1\BEARSH~1\BearShare.exe --showdrive %L” [“MusicLab, LLC”] NMMPlayCDAudioOnArrival\ “Provider” = “Nokia Music Manager” “InvokeProgID” = “NokiaMusicManager” “InvokeVerb” = “NMMPlayCD” HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMPlayCD\command(Default) = “C:\Program Files\Nokia\Nokia PC Suite 7\MusicManager.exe /playCD “%L”” [“Nokia”] NMMRipCDAudioOnArrival\ “Provider” = “Nokia Music Manager” “InvokeProgID” = “NokiaMusicManager” “InvokeVerb” = “NMMRipCD” HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMRipCD\command(Default) = “C:\Program Files\Nokia\Nokia PC Suite 7\MusicManager.exe /ripCD “%L”” [“Nokia”] Picasa2ImportPicturesOnArrival\ “Provider” = “Picasa2” “InvokeProgID” = “picasa2.autoplay” “InvokeVerb” = “import” HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command(Default) = "C:\Program Files\Picasa2\Picasa2.exe “%1"” [“Google Inc.”] Startup items in “Szczypkowska Kasia” & “All Users” startup folders: -------------------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W” [empty string] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ “{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}” = (no title provided) -> {HKLM…CLSID} = “Ask Toolbar” \InProcServer32(Default) = “C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL” [“Ask.com ”] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\SOFTWARE\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\SOFTWARE\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] <> “{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL” [“Ask.com ”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ServiceLayer, ServiceLayer, ““C:\Program Files\PC Connectivity Solution\ServiceLayer.exe”” [“Nokia.”] ---------- (launch time: 2008-08-02 15:42:47) <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 15 seconds. ---------- (total run time: 73 seconds)
Bardzo proszę o pomoc, bo szwagierka już nie może wytrzymać na komputerze ??
huber2t
(huber2t)
2 Sierpień 2008 13:49
#2
fix w hijackthis
Pobierz ComboFix , ale nie uruchamiaj
Otwórz notatnik i wklej do niego:
File::
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\temp1.exe
Folder::
C:\Program Files\AdVantage
Plik -> zapisz jako -> CFScript.txt .
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->
Rozpocznie się usuwanie i powstanie log, który dasz na forum.
Logi dajesz na http://wklejto.pl lub na http://wklej.org a w poście dajesz tylko link
Leon1
(Leon$)
2 Sierpień 2008 13:52
#3
wpisy
usuń HijackThisem >> Fix checked
Pobierz Combofix http://www.searchengines.pl/index.php?s … ntry395642 ale nie włączaj.
Otwórz notatnik i wklej
zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe
http://img.wklej.org/images/88953CFScri … iemoes.gif
Powinno rozpocząć się usuwanie
Potem log z usuwania Combofix
pysiul86
(Olga86)
2 Sierpień 2008 14:16
#4
ok zrobiłem wszystkie czynności które prosicliscie i zamieszczam logi z 3 programów po tych czynnoscciach, nie wiem ale dalej komputer jest spowolniony
ComboFix 08-08-01.04 - Szczypkowska Kasia 2008-08-02 16:10:02.2 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.89 [GMT 2:00] Running from: C:\Documents and Settings\Szczypkowska Kasia\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\Szczypkowska Kasia\Pulpit\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED FILE :: C:\WINDOWS\svchost.exe C:\WINDOWS\system32\temp1.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\AskSBar C:\Program Files\AskSBar\bar\1.bin\A2FFXTBR.JAR C:\Program Files\AskSBar\bar\1.bin\A2FFXTBR.MANIFEST C:\Program Files\AskSBar\bar\1.bin\A2HIGHIN.EXE C:\Program Files\AskSBar\bar\1.bin\A2NTSTBR.JAR C:\Program Files\AskSBar\bar\1.bin\A2NTSTBR.MANIFEST C:\Program Files\AskSBar\bar\1.bin\A2PLUGIN.DLL C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL C:\Program Files\AskSBar\bar\1.bin\NPASKSBR.DLL C:\Program Files\AskSBar\bar\1.bin\V2RSSMNU.DLL C:\Program Files\AskSBar\bar\Cache\0089DD36 C:\Program Files\AskSBar\bar\Cache\0089ECB7 C:\Program Files\AskSBar\bar\Cache\008A0909.bin C:\Program Files\AskSBar\bar\Cache\008A11F2.bin C:\Program Files\AskSBar\bar\Cache\008A1B39.bin C:\Program Files\AskSBar\bar\Cache\008A20C7.bin C:\Program Files\AskSBar\bar\Cache\008A28E5.bin C:\Program Files\AskSBar\bar\Cache\008A3009.bin C:\Program Files\AskSBar\bar\Cache\files.ini C:\Program Files\AskSBar\bar\History\search2 C:\Program Files\AskSBar\bar\Settings\prevcfg2.htm C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL . ((((((((((((((((((((((((( Files Created from 2008-07-02 to 2008-08-02 ))))))))))))))))))))))))))))))) . 2008-08-02 15:59 . 2008-08-02 15:59 2008-08-02 15:59 . 2008-08-02 15:59 2008-08-02 00:39 . 2008-08-02 00:39 2008-08-02 00:39 . 2008-08-02 00:39 2008-07-27 17:15 . 2008-07-27 17:15 2008-07-27 17:15 . 2008-07-27 17:15 2008-07-27 17:15 . 2008-07-27 17:15 2008-07-27 17:14 . 2008-07-27 17:14 2008-07-27 15:01 . 2008-07-27 15:01 2008-07-27 15:01 . 2008-07-27 15:01 2008-07-27 15:01 . 2006-10-05 04:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys 2008-07-27 15:01 . 2006-10-05 04:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2008-07-26 23:03 . 2008-07-26 23:03 2008-07-26 06:37 . 2008-07-26 06:37 2008-07-26 06:37 . 2007-11-22 16:00 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx 2008-07-25 23:44 . 2008-07-25 23:44 2008-07-11 21:04 . 2008-07-11 21:04 2008-07-11 16:54 . 2008-07-11 16:54 2008-07-11 16:54 . 2008-07-11 16:54 2008-07-11 16:54 . 2008-07-11 16:54 2008-07-08 11:27 . 2006-09-13 18:18 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys 2008-07-08 11:27 . 2008-07-08 11:27 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2008-07-08 11:27 . 2008-07-08 11:27 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf 2008-07-08 11:26 . 2008-07-08 11:26 2008-07-08 11:26 . 2008-07-08 11:26 2008-07-08 11:26 . 2008-07-08 11:26 2008-07-08 11:26 . 2008-07-08 11:26 2008-07-08 11:26 . 2008-07-08 11:26 2008-07-08 11:26 . 2008-07-08 11:26 2008-07-08 11:26 . 2008-07-08 11:26 2008-07-08 11:26 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys 2008-07-08 11:25 . 2008-07-08 11:25 2008-07-08 11:25 . 2008-07-08 11:25 2008-07-08 11:25 . 2008-05-07 07:39 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll 2008-07-08 11:25 . 2008-05-07 07:38 659,968 --a------ C:\WINDOWS\system32\nmwcdcocls.dll 2008-07-08 11:25 . 2008-05-07 07:38 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll 2008-07-08 11:25 . 2008-05-07 07:38 20,864 --a------ C:\WINDOWS\system32\drivers\ccdcmbo.sys 2008-07-08 11:25 . 2008-05-07 07:38 17,536 --a------ C:\WINDOWS\system32\drivers\ccdcmb.sys 2008-07-08 11:25 . 2008-05-07 07:38 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys 2008-07-08 11:25 . 2008-06-06 09:24 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerflt.sys 2008-07-08 11:24 . 2008-07-08 11:24 2008-07-04 20:06 . 2008-07-04 20:06 1,160 --a------ C:\WINDOWS\mozver.dat 2008-07-04 16:09 . 2008-07-04 16:09 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-29 12:28 --------- d-----w C:\Documents and Settings\Szczypkowska Kasia\Dane aplikacji\Microsoft Web Folders 2008-06-29 10:58 --------- d-----w C:\Documents and Settings\Szczypkowska Kasia\Dane aplikacji\Gadu-Gadu 2008-06-29 10:46 --------- d-----w C:\Program Files\Skype 2008-06-29 10:46 --------- d-----w C:\Program Files\Real Alternative 2008-06-29 10:45 --------- d-----w C:\Program Files\Winamp 2008-06-29 10:44 --------- d-----w C:\Program Files\Gadu-Gadu 2008-06-28 18:57 23 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg 2008-06-28 18:57 --------- d-----w C:\Program Files\SAGEM 2008-06-28 18:56 --------- d-----w C:\Program Files\Neostrada TP 2008-06-28 18:13 --------- d–h--w C:\Program Files\InstallShield Installation Information 2008-06-28 18:13 --------- d-----w C:\Program Files\Realtek Sound Manager 2008-06-28 18:13 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-06-28 18:13 --------- d-----w C:\Program Files\AvRack 2008-06-28 17:48 --------- d-----w C:\Program Files\Usługi online . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 01:44 15360] “Nokia.PCSync”=“C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe” [2008-06-17 16:00 1249280] “PC Suite Tray”=“C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe” [2008-06-18 14:31 1122816] “Picasa Media Detector”=“C:\Program Files\Picasa2\PicasaMediaDetector.exe” [2008-02-26 03:23 443968] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 19:07 24576] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 19:07 20480] “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [2003-10-16 19:07 53248] “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 22:16 39792] “SoundMan”=“SOUNDMAN.EXE” [2002-11-19 13:24 46592 C:\WINDOWS\SOUNDMAN.EXE] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 01:44 15360] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2008-06-28 20:57:01 962661] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588] [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “C:\Program Files\Gadu-Gadu\gg.exe”= “C:\Program Files\BearShare Applications\BearShare\BearShare.exe”= “C:\Program Files\Skype\Phone\Skype.exe”= S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys [] S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-02 16:11:00 Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-08-02 16:11:26 ComboFix-quarantined-files.txt 2008-08-02 14:11:24 ComboFix2.txt 2008-08-02 13:57:38 Pre-Run: 3,762,298,880 bajtów wolnych Post-Run: 3,756,769,280 bajtów wolnych 143 “Silent Runners.vbs”, revision 58, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Nokia.PCSync” = ““C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe” /NoDialog” [“Time Information Services Ltd.”] “PC Suite Tray” = ““C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe” -onlytray” [“Nokia”] “Picasa Media Detector” = “C:\Program Files\Picasa2\PicasaMediaDetector.exe” [“Google Inc.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom RD”] “WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom RD”] “Adobe Reader Speed Launcher” = ““C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”” [“Adobe Systems Incorporated”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) - {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” - {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{3028902F-6374-48b2-8DC6-9725E775B926}” = “IE Microsoft AutoComplete” - {HKLM…CLSID} = “IE Microsoft AutoComplete” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band” - {HKLM…CLSID} = “History Band” \InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” - {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~1\Office\OLKFSTUB.DLL” [MS] “{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “Nokia Phone Browser” - {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 7\phonebrowser.dll” [“Nokia”] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” - {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] Default executables: -------------------- HKLM\SOFTWARE\Classes.com (Default) = “ComFile” Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoDrives” = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoDrives” = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “HideLegacyLogonScripts” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “HideLogoffScripts” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “RunLogonScriptSync” = (REG_DWORD) dword:0x00000001 {unrecognized setting} “RunStartupScriptSync” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “HideStartupScripts” = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “DisableRegistryTools” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “HideLegacyLogonScripts” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “HideLogoffScripts” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “RunLogonScriptSync” = (REG_DWORD) dword:0x00000001 {unrecognized setting} “RunStartupScriptSync” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “HideStartupScripts” = (REG_DWORD) dword:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Szczypkowska Kasia\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ BSMediaPlayerOnArrival\ “Provider” = “BearShare” “ProgID” = “BearShare.LauncherEventHandler” HKLM\SOFTWARE\Classes\BearShare.LauncherEventHandler\CLSID(Default) = “{A7A4A19A-00AC-473c-8225-1B97D1FDD43E}” - {HKLM…CLSID} = “CLauncherEventHandler Object” \LocalServer32(Default) = ““C:\PROGRA~1\BEARSH~1\BEARSH~1\LAUNCHER.EXE”” [“MusicLab LLC”] BSPlayCDAudioOnArrival\ “Provider” = “BearShare” “InvokeProgID” = “BearShare.AudioCD” “InvokeVerb” = “play” HKLM\SOFTWARE\Classes\BearShare.AudioCD\shell\play\Command(Default) = “C:\PROGRA~1\BEARSH~1\BEARSH~1\BearShare.exe --playdrive %L” [“MusicLab, LLC”] BSplayerCDDA\ “Provider” = “BSplayer multimedia player” “InvokeProgID” = “BSP.plist” “InvokeVerb” = “play” HKCU\Software\Classes\BSP.plist\shell\play\command(Default) = “C:\Program Files\Webteh\BSplayer\bsplayer.exe “%L”” [“AB Team”] BSRipCDAudioOnArrival\ “Provider” = “BearShare” “InvokeProgID” = “BearShare.AudioCD” “InvokeVerb” = “rip” HKLM\SOFTWARE\Classes\BearShare.AudioCD\shell\rip\Command(Default) = “C:\PROGRA~1\BEARSH~1\BEARSH~1\BearShare.exe --ripdrive %L” [“MusicLab, LLC”] BSShowCDAudioOnArrival\ “Provider” = “BearShare” “InvokeProgID” = “BearShare.AudioCD” “InvokeVerb” = “show” HKLM\SOFTWARE\Classes\BearShare.AudioCD\shell\show\Command(Default) = “C:\PROGRA~1\BEARSH~1\BEARSH~1\BearShare.exe --showdrive %L” [“MusicLab, LLC”] NMMPlayCDAudioOnArrival\ “Provider” = “Nokia Music Manager” “InvokeProgID” = “NokiaMusicManager” “InvokeVerb” = “NMMPlayCD” HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMPlayCD\command(Default) = “C:\Program Files\Nokia\Nokia PC Suite 7\MusicManager.exe /playCD “%L”” [“Nokia”] NMMRipCDAudioOnArrival\ “Provider” = “Nokia Music Manager” “InvokeProgID” = “NokiaMusicManager” “InvokeVerb” = “NMMRipCD” HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMRipCD\command(Default) = “C:\Program Files\Nokia\Nokia PC Suite 7\MusicManager.exe /ripCD “%L”” [“Nokia”] Picasa2ImportPicturesOnArrival\ “Provider” = “Picasa2” “InvokeProgID” = “picasa2.autoplay” “InvokeVerb” = “import” HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command(Default) = "C:\Program Files\Picasa2\Picasa2.exe “%1"” [“Google Inc.”] Startup items in “Szczypkowska Kasia” “All Users” startup folders: -------------------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “DSLMON” - shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W” [empty string] “Microsoft Office” - shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\SOFTWARE\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\SOFTWARE\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) - {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ServiceLayer, ServiceLayer, ““C:\Program Files\PC Connectivity Solution\ServiceLayer.exe”” [“Nokia.”] ---------- (launch time: 2008-08-02 16:14:11) : Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 13 seconds. ---------- (total run time: 55 seconds) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:16:10, on 2008-08-02 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Szczypkowska Kasia\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Nokia.PCSync] “C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe” /NoDialog O4 - HKCU…\Run: [PC Suite Tray] “C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe” -onlytray O4 - HKCU…\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O17 - HKLM\System\CCS\Services\Tcpip…{3184D0E3-C432-47A9-A952-380FE16BE71C}: NameServer = 194.204.159.1 217.98.63.164 O17 - HKLM\System\CS1\Services\Tcpip…{3184D0E3-C432-47A9-A952-380FE16BE71C}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe – End of file - 3914 bytes
Leon1
(Leon$)
2 Sierpień 2008 14:24
#5
Otwórz notatnik i wklej
zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe
http://img.wklej.org/images/88953CFScri … iemoes.gif
Powinno rozpocząć się usuwanie
Potem log z usuwania Combofix
pysiul86
(Olga86)
2 Sierpień 2008 14:25
#6
jeszcze bardzo proszę o instrukcje jak zdjąć tego wirusa z pendrive
pysiul86
(Olga86)
2 Sierpień 2008 14:32
#7
ok zrobiłem to tutaj zamieszczam loga:
ComboFix 08-08-01.04 - Szczypkowska Kasia 2008-08-02 16:28:11.3 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.64 [GMT 2:00] Running from: C:\Documents and Settings\Szczypkowska Kasia\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\Szczypkowska Kasia\Pulpit\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\FOUND.000 C:\FOUND.000\FILE0000.CHK C:\FOUND.000\FILE0001.CHK C:\FOUND.000\FILE0002.CHK C:\FOUND.000\FILE0003.CHK C:\FOUND.000\FILE0004.CHK C:\FOUND.000\FILE0005.CHK C:\FOUND.000\FILE0006.CHK C:\FOUND.000\FILE0007.CHK C:\FOUND.000\FILE0008.CHK C:\FOUND.000\FILE0009.CHK C:\FOUND.000\FILE0010.CHK C:\FOUND.000\FILE0011.CHK C:\FOUND.000\FILE0012.CHK C:\FOUND.000\FILE0013.CHK C:\FOUND.000\FILE0014.CHK C:\FOUND.000\FILE0015.CHK C:\FOUND.000\FILE0016.CHK C:\FOUND.000\FILE0017.CHK C:\FOUND.000\FILE0018.CHK C:\FOUND.000\FILE0019.CHK C:\FOUND.000\FILE0020.CHK C:\FOUND.000\FILE0021.CHK C:\FOUND.000\FILE0022.CHK C:\FOUND.000\FILE0023.CHK C:\FOUND.000\FILE0024.CHK C:\FOUND.000\FILE0025.CHK C:\FOUND.000\FILE0026.CHK C:\FOUND.000\FILE0027.CHK C:\FOUND.000\FILE0028.CHK C:\FOUND.000\FILE0029.CHK C:\FOUND.000\FILE0030.CHK C:\FOUND.000\FILE0031.CHK C:\FOUND.000\FILE0032.CHK C:\FOUND.000\FILE0033.CHK C:\FOUND.000\FILE0034.CHK C:\FOUND.000\FILE0035.CHK C:\FOUND.000\FILE0036.CHK C:\FOUND.000\FILE0037.CHK C:\FOUND.000\FILE0038.CHK C:\FOUND.000\FILE0039.CHK C:\FOUND.000\FILE0040.CHK C:\FOUND.000\FILE0041.CHK C:\FOUND.000\FILE0042.CHK C:\FOUND.000\FILE0043.CHK . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SETUPNTGLM7X -------\Service_SetupNTGLM7X ((((((((((((((((((((((((( Files Created from 2008-07-02 to 2008-08-02 ))))))))))))))))))))))))))))))) . 2008-08-02 15:59 . 2008-08-02 15:59 2008-08-02 15:59 . 2008-08-02 15:59 2008-08-02 00:39 . 2008-08-02 00:39 2008-08-02 00:39 . 2008-08-02 00:39 2008-07-27 17:15 . 2008-07-27 17:15 2008-07-27 17:15 . 2008-07-27 17:15 2008-07-27 17:15 . 2008-07-27 17:15 2008-07-27 17:14 . 2008-07-27 17:14 2008-07-27 15:01 . 2008-07-27 15:01 2008-07-27 15:01 . 2008-07-27 15:01 2008-07-27 15:01 . 2006-10-05 04:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys 2008-07-27 15:01 . 2006-10-05 04:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2008-07-26 23:03 . 2008-07-26 23:03 2008-07-26 06:37 . 2008-07-26 06:37 2008-07-26 06:37 . 2007-11-22 16:00 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx 2008-07-25 23:44 . 2008-07-25 23:44 2008-07-11 16:54 . 2008-07-11 16:54 2008-07-11 16:54 . 2008-07-11 16:54 2008-07-11 16:54 . 2008-07-11 16:54 2008-07-08 11:27 . 2006-09-13 18:18 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys 2008-07-08 11:27 . 2008-07-08 11:27 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2008-07-08 11:27 . 2008-07-08 11:27 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf 2008-07-08 11:26 . 2008-07-08 11:26 2008-07-08 11:26 . 2008-07-08 11:26 2008-07-08 11:26 . 2008-07-08 11:26 2008-07-08 11:26 . 2008-07-08 11:26 2008-07-08 11:26 . 2008-07-08 11:26 2008-07-08 11:26 . 2008-07-08 11:26 2008-07-08 11:26 . 2008-07-08 11:26 2008-07-08 11:26 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys 2008-07-08 11:25 . 2008-07-08 11:25 2008-07-08 11:25 . 2008-07-08 11:25 2008-07-08 11:25 . 2008-05-07 07:39 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll 2008-07-08 11:25 . 2008-05-07 07:38 659,968 --a------ C:\WINDOWS\system32\nmwcdcocls.dll 2008-07-08 11:25 . 2008-05-07 07:38 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll 2008-07-08 11:25 . 2008-05-07 07:38 20,864 --a------ C:\WINDOWS\system32\drivers\ccdcmbo.sys 2008-07-08 11:25 . 2008-05-07 07:38 17,536 --a------ C:\WINDOWS\system32\drivers\ccdcmb.sys 2008-07-08 11:25 . 2008-05-07 07:38 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys 2008-07-08 11:25 . 2008-06-06 09:24 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerflt.sys 2008-07-08 11:24 . 2008-07-08 11:24 2008-07-04 20:06 . 2008-07-04 20:06 1,160 --a------ C:\WINDOWS\mozver.dat 2008-07-04 16:09 . 2008-07-04 16:09 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-29 12:28 --------- d-----w C:\Documents and Settings\Szczypkowska Kasia\Dane aplikacji\Microsoft Web Folders 2008-06-29 10:58 --------- d-----w C:\Documents and Settings\Szczypkowska Kasia\Dane aplikacji\Gadu-Gadu 2008-06-29 10:46 --------- d-----w C:\Program Files\Skype 2008-06-29 10:46 --------- d-----w C:\Program Files\Real Alternative 2008-06-29 10:45 --------- d-----w C:\Program Files\Winamp 2008-06-29 10:44 --------- d-----w C:\Program Files\Gadu-Gadu 2008-06-28 18:57 23 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg 2008-06-28 18:57 --------- d-----w C:\Program Files\SAGEM 2008-06-28 18:56 --------- d-----w C:\Program Files\Neostrada TP 2008-06-28 18:13 --------- d–h--w C:\Program Files\InstallShield Installation Information 2008-06-28 18:13 --------- d-----w C:\Program Files\Realtek Sound Manager 2008-06-28 18:13 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-06-28 18:13 --------- d-----w C:\Program Files\AvRack 2008-06-28 17:48 --------- d-----w C:\Program Files\Usługi online . ((((((((((((((((((((((((((((( snapshot@2008-08-02_15.57.21.93 ))))))))))))))))))))))))))))))))))))))))) . + 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 01:44 15360] “Nokia.PCSync”=“C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe” [2008-06-17 16:00 1249280] “PC Suite Tray”=“C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe” [2008-06-18 14:31 1122816] “Picasa Media Detector”=“C:\Program Files\Picasa2\PicasaMediaDetector.exe” [2008-02-26 03:23 443968] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 19:07 24576] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 19:07 20480] “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [2003-10-16 19:07 53248] “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 22:16 39792] “SoundMan”=“SOUNDMAN.EXE” [2002-11-19 13:24 46592 C:\WINDOWS\SOUNDMAN.EXE] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 01:44 15360] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2008-06-28 20:57:01 962661] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588] [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “C:\Program Files\Gadu-Gadu\gg.exe”= “C:\Program Files\BearShare Applications\BearShare\BearShare.exe”= “C:\Program Files\Skype\Phone\Skype.exe”= S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-02 16:30:34 Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\SYSTEM32\WSCNTFY.EXE C:\PROGRAM FILES\NEOSTRADA TP\CNXMON.EXE C:\PROGRAM FILES\NEOSTRADA TP\TASKBARICON.EXE C:\PROGRAM FILES\PC CONNECTIVITY SOLUTION\SERVICELAYER.EXE C:\PROGRAM FILES\PC CONNECTIVITY SOLUTION\TRANSPORTS\NCLUSBSRV.EXE C:\PROGRAM FILES\PC CONNECTIVITY SOLUTION\TRANSPORTS\NCLRSSRV.EXE C:\PROGRAM FILES\COMMON FILES\NOKIA\MPAPI\MPAPI3S.EXE C:\PROGRAM FILES\COMMON FILES\NOKIA\MPAPI\MPAPI3S.EXE C:\WINDOWS\SYSTEM32\IMAPI.EXE . ************************************************************************** . Completion time: 2008-08-02 16:31:11 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-02 14:31:08 ComboFix3.txt 2008-08-02 13:57:38 ComboFix2.txt 2008-08-02 14:11:28 Pre-Run: 3,728,965,632 bajtów wolnych Post-Run: 3,687,194,624 bajt˘w wolnych 184
Leon1
(Leon$)
2 Sierpień 2008 14:36
#8
Log wygląda na czysty
zrób optymalizacje uruchamiania
http://cybertrash.netarteria.pl/cyber/i … 378.0.html
usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.
Wyłącz I włącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl
przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html pokaż raport stronę uruchomić przez IE
pysiul86
(Olga86)
2 Sierpień 2008 14:54
#9
ok zrobiłem wszystko jak narazie oprócz tego kasparskiego online i ponownie wklejam na forum logi do sprawdzenia:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:52:14, on 2008-08-02 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Szczypkowska Kasia\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Nokia.PCSync] “C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe” /NoDialog O4 - HKCU…\Run: [PC Suite Tray] “C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe” -onlytray O4 - HKCU…\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O17 - HKLM\System\CCS\Services\Tcpip…{3184D0E3-C432-47A9-A952-380FE16BE71C}: NameServer = 194.204.159.1 217.98.63.164 O17 - HKLM\System\CS1\Services\Tcpip…{3184D0E3-C432-47A9-A952-380FE16BE71C}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe – End of file - 3914 bytes
“Silent Runners.vbs”, revision 58, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Nokia.PCSync” = ““C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe” /NoDialog” [“Time Information Services Ltd.”] “PC Suite Tray” = ““C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe” -onlytray” [“Nokia”] “Picasa Media Detector” = “C:\Program Files\Picasa2\PicasaMediaDetector.exe” [“Google Inc.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”] “Adobe Reader Speed Launcher” = ““C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”” [“Adobe Systems Incorporated”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{3028902F-6374-48b2-8DC6-9725E775B926}” = “IE Microsoft AutoComplete” -> {HKLM…CLSID} = “IE Microsoft AutoComplete” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band” -> {HKLM…CLSID} = “History Band” \InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~1\Office\OLKFSTUB.DLL” [MS] “{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “Nokia Phone Browser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 7\phonebrowser.dll” [“Nokia”] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] Default executables: -------------------- <> HKLM\SOFTWARE\Classes.com (Default) = “ComFile” Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoDrives” = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoDrives” = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “HideLegacyLogonScripts” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “HideLogoffScripts” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “RunLogonScriptSync” = (REG_DWORD) dword:0x00000001 {unrecognized setting} “RunStartupScriptSync” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “HideStartupScripts” = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “HideLegacyLogonScripts” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “HideLogoffScripts” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “RunLogonScriptSync” = (REG_DWORD) dword:0x00000001 {unrecognized setting} “RunStartupScriptSync” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “HideStartupScripts” = (REG_DWORD) dword:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Szczypkowska Kasia\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ BSMediaPlayerOnArrival\ “Provider” = “BearShare” “ProgID” = “BearShare.LauncherEventHandler” HKLM\SOFTWARE\Classes\BearShare.LauncherEventHandler\CLSID(Default) = “{A7A4A19A-00AC-473c-8225-1B97D1FDD43E}” -> {HKLM…CLSID} = “CLauncherEventHandler Object” \LocalServer32(Default) = ““C:\PROGRA~1\BEARSH~1\BEARSH~1\LAUNCHER.EXE”” [“MusicLab LLC”] BSPlayCDAudioOnArrival\ “Provider” = “BearShare” “InvokeProgID” = “BearShare.AudioCD” “InvokeVerb” = “play” HKLM\SOFTWARE\Classes\BearShare.AudioCD\shell\play\Command(Default) = “C:\PROGRA~1\BEARSH~1\BEARSH~1\BearShare.exe --playdrive %L” [“MusicLab, LLC”] BSplayerCDDA\ “Provider” = “BSplayer multimedia player” “InvokeProgID” = “BSP.plist” “InvokeVerb” = “play” HKCU\Software\Classes\BSP.plist\shell\play\command(Default) = “C:\Program Files\Webteh\BSplayer\bsplayer.exe “%L”” [“AB Team”] BSRipCDAudioOnArrival\ “Provider” = “BearShare” “InvokeProgID” = “BearShare.AudioCD” “InvokeVerb” = “rip” HKLM\SOFTWARE\Classes\BearShare.AudioCD\shell\rip\Command(Default) = “C:\PROGRA~1\BEARSH~1\BEARSH~1\BearShare.exe --ripdrive %L” [“MusicLab, LLC”] BSShowCDAudioOnArrival\ “Provider” = “BearShare” “InvokeProgID” = “BearShare.AudioCD” “InvokeVerb” = “show” HKLM\SOFTWARE\Classes\BearShare.AudioCD\shell\show\Command(Default) = “C:\PROGRA~1\BEARSH~1\BEARSH~1\BearShare.exe --showdrive %L” [“MusicLab, LLC”] NMMPlayCDAudioOnArrival\ “Provider” = “Nokia Music Manager” “InvokeProgID” = “NokiaMusicManager” “InvokeVerb” = “NMMPlayCD” HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMPlayCD\command(Default) = “C:\Program Files\Nokia\Nokia PC Suite 7\MusicManager.exe /playCD “%L”” [“Nokia”] NMMRipCDAudioOnArrival\ “Provider” = “Nokia Music Manager” “InvokeProgID” = “NokiaMusicManager” “InvokeVerb” = “NMMRipCD” HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMRipCD\command(Default) = “C:\Program Files\Nokia\Nokia PC Suite 7\MusicManager.exe /ripCD “%L”” [“Nokia”] Picasa2ImportPicturesOnArrival\ “Provider” = “Picasa2” “InvokeProgID” = “picasa2.autoplay” “InvokeVerb” = “import” HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command(Default) = "C:\Program Files\Picasa2\Picasa2.exe “%1"” [“Google Inc.”] Startup items in “Szczypkowska Kasia” & “All Users” startup folders: -------------------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W” [empty string] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\SOFTWARE\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\SOFTWARE\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ServiceLayer, ServiceLayer, ““C:\Program Files\PC Connectivity Solution\ServiceLayer.exe”” [“Nokia.”] ---------- (launch time: 2008-08-02 16:52:44) <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 16 seconds. ---------- (total run time: 65 seconds)
huber2t
(huber2t)
2 Sierpień 2008 15:16
#10
Logi ok
Pokaż raport z kasperskiego jak skończy skanować
Leon1
(Leon$)
2 Sierpień 2008 15:19
#11