pomózcie kasperski wykrył backdoor.win32.agent.arb
o to logi do sprawdzenia i raport kasperskiego
------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT 31 sierpień 2007 19:58:31 System operacyjny: Microsoft Windows XP Home Edition, Dodatek Service Pack 2 (Build 2600) Kaspersky Online Scanner wersja: 5.0.83.0 Ostatnia aktualizacja Kaspersky Anti-Virus31/08/2007 Liczba wpisów w bazie danych Kaspersky Anti-Virus401518 ------------------------------------------------------------------------------- Ustawienia skanowania: Skanowanie przy użyciu następujących baz danych: rozszerzone Skanuj archiwa: tak Skanuj pocztowe bazy danych: tak Obszar skanowania - Mój komputer: C:\ D:\ E:\ F:\ G:\ H:\ Statystyki skanowania: Liczba skanowanych obiektów: 45294 Liczba wykrytych wirusów: 1 Liczba zainfekowanych obiektów: 4 / 0 Liczba podejrzanych obiektów: 0 Czas trwania skanowania: 00:30:30 Nazwa zainfekowanego obiektu / Nazwa wirusa / Ostatnie działanie C:\Documents and Settings\admin\Cookies\index.dat Object is locked pominięty C:\Documents and Settings\admin\NTUSER.DAT Object is locked pominięty C:\Documents and Settings\admin\ntuser.dat.LOG Object is locked pominięty C:\Documents and Settings\admin\UserData\index.dat Object is locked pominięty C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Ahead\Nero Home\bl.db Object is locked pominięty C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Ahead\Nero Home\is2.db Object is locked pominięty C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Microsoft\Feeds Cache\index.dat Object is locked pominięty C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty C:\Documents and Settings\admin\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty C:\Documents and Settings\admin\Ustawienia lokalne\Historia\History.IE5\MSHist012007083120070901\index.dat Object is locked pominięty C:\Documents and Settings\admin\Ustawienia lokalne\Temp~DF36BA.tmp Object is locked pominięty C:\Documents and Settings\admin\Ustawienia lokalne\Temp~DF36C2.tmp Object is locked pominięty C:\Documents and Settings\admin\Ustawienia lokalne\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked pominięty C:\Documents and Settings\admin\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked pominięty C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked pominięty C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked pominięty C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty C:\Documents and Settings\LocalService\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked pominięty C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked pominięty C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty C:\mksbasel.cpp.log Object is locked pominięty C:\Program Files\ESET\cache\CACHE.NDB Object is locked pominięty C:\Program Files\ESET\logs\virlog.dat Object is locked pominięty C:\Program Files\ESET\logs\warnlog.dat Object is locked pominięty C:\Program Files\Internet Explorer\Setup\svchost.exe Zainfekowanych: Backdoor.Win32.Agent.arb pominięty C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\access_log Object is locked pominięty C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error.log Object is locked pominięty C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error_log Object is locked pominięty C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\ssl_request_log Object is locked pominięty C:\Program Files\SkanerOnline\Raporty\2007-08-31_19-21-59.mrp Object is locked pominięty C:\svchost.exe/data.rar/svchost.exe Zainfekowanych: Backdoor.Win32.Agent.arb pominięty C:\svchost.exe/data.rar Zainfekowanych: Backdoor.Win32.Agent.arb pominięty C:\svchost.exe RarSFX: zainfekowany - 2 pominięty C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty C:\WINDOWS\Debug\PASSWD.LOG Object is locked pominięty C:\WINDOWS\SchedLgU.Txt Object is locked pominięty C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked pominięty C:\WINDOWS\Sti_Trace.log Object is locked pominięty C:\WINDOWS\system32\config\ACEEvent.evt Object is locked pominięty C:\WINDOWS\system32\config\AppEvent.Evt Object is locked pominięty C:\WINDOWS\system32\config\default Object is locked pominięty C:\WINDOWS\system32\config\default.LOG Object is locked pominięty C:\WINDOWS\system32\config\Internet.evt Object is locked pominięty C:\WINDOWS\system32\config\SAM Object is locked pominięty C:\WINDOWS\system32\config\SAM.LOG Object is locked pominięty C:\WINDOWS\system32\config\SecEvent.Evt Object is locked pominięty C:\WINDOWS\system32\config\SECURITY Object is locked pominięty C:\WINDOWS\system32\config\SECURITY.LOG Object is locked pominięty C:\WINDOWS\system32\config\software Object is locked pominięty C:\WINDOWS\system32\config\software.LOG Object is locked pominięty C:\WINDOWS\system32\config\SysEvent.Evt Object is locked pominięty C:\WINDOWS\system32\config\system Object is locked pominięty C:\WINDOWS\system32\config\system.LOG Object is locked pominięty C:\WINDOWS\system32\h323log.txt Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked pominięty C:\WINDOWS\Temp\a2cache_243202F9.dat Object is locked pominięty C:\WINDOWS\Temp\Perflib_Perfdata_88c.dat Object is locked pominięty C:\WINDOWS\wiadebug.log Object is locked pominięty C:\WINDOWS\wiaservc.log Object is locked pominięty C:\WINDOWS\WindowsUpdate.log Object is locked pominięty D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty Proces skanowania został zakończony.
“Silent Runners.vbs”, revision R51, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by “{++}”
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}” = ““C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”” [“Nero AG”]
“ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS]
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
“SpybotDeletingB7983” = “command /c del “C:\Program Files\Internet Explorer\Setup\svchost.exe”” [null data]
“SpybotDeletingD2046” = “cmd /c del “C:\Program Files\Internet Explorer\Setup\svchost.exe”” [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“SoundMAXPnP” = “C:\Program Files\Analog Devices\Core\smax4pnp.exe” [“Analog Devices, Inc.”]
“SoundMAX” = ““C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” /tray” [“Analog Devices, Inc.”]
“NeroFilterCheck” = “C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [“Nero AG”]
“LogitechVideoRepair” = “E:\Program Files\Logitech\Video\ISStart.exe” [“Labtec Inc.”]
“LogitechVideoTray” = “E:\Program Files\Logitech\Video\LogiTray.exe” [“Labtec Inc.”]
“LXCCCATS” = “rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16” [MS]
“lxccmon.exe” = ““C:\Program Files\Lexmark 3300 Series\lxccmon.exe”” [“Lexmark International, Inc.”]
“FaxCenterServer” = ““C:\Program Files\Lexmark Fax Solutions\fm3032.exe” /s” [null data]
“CnxDslTaskBar” = "“C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe” “ZTE Corporation\ZXDSL852"” [“Conexant Systems, Inc.”]
“SunJavaUpdateSched” = “rem “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”” [file not found]
“nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "]
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
“SpybotDeletingA1847” = “command /c del “C:\Program Files\Internet Explorer\Setup\svchost.exe”” [null data]
“SpybotDeletingC6568” = “cmd /c del “C:\Program Files\Internet Explorer\Setup\svchost.exe”” [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
-> {HKLM…CLSID} = “AcroIEHlprObj Class”
\InProcServer32(Default) = “E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = “Skype add-on (mastermind)”
-> {HKLM…CLSID} = “Skype add-on (mastermind)”
\InProcServer32(Default) = “C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll” [“Skype Technologies S.A.”]
{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)
-> {HKLM…CLSID} = “Spybot-S&D IE Protection”
\InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM…CLSID} = “SSVHelper Class”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll” [“Sun Microsystems, Inc.”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”
-> {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]
“{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band”
-> {HKLM…CLSID} = “History Band”
\InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS]
“{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension”
-> {HKLM…CLSID} = “SimpleShlExt Class”
\InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string]
“{A155339D-CCCD-4714-85EB-3754B804C9DF}” = “a-squared Free Shell Extension”
-> {HKLM…CLSID} = “a-squared Free Shell Extension”
\InProcServer32(Default) = “C:\Program Files\a-squared Free\a2freecontmenu.dll” [“Emsi Software GmbH”]
“{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}” = “My Labtec Pictures”
-> {HKLM…CLSID} = “My Labtec Pictures”
\InProcServer32(Default) = “E:\Program Files\Logitech\Video\Namespc2.dll” [“Labtec Inc.”]
“{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension”
-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”
\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]
“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “E:\Program Files\rarext.dll” [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”
-> {HKLM…CLSID} = “PDF Shell Extension”
\InProcServer32(Default) = “E:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]
HKLM\Software\Classes*\shellex\ContextMenuHandlers\
NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}”
-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”
\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “E:\Program Files\rarext.dll” [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “E:\Program Files\rarext.dll” [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a-squared Free Shell Extension(Default) = “{A155339D-CCCD-4714-85EB-3754B804C9DF}”
-> {HKLM…CLSID} = “a-squared Free Shell Extension”
\InProcServer32(Default) = “C:\Program Files\a-squared Free\a2freecontmenu.dll” [“Emsi Software GmbH”]
NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}”
-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”
\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “E:\Program Files\rarext.dll” [null data]
HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
a-squared Free Shell Extension(Default) = “{A155339D-CCCD-4714-85EB-3754B804C9DF}”
-> {HKLM…CLSID} = “a-squared Free Shell Extension”
\InProcServer32(Default) = “C:\Program Files\a-squared Free\a2freecontmenu.dll” [“Emsi Software GmbH”]
Group Policies {policy setting}:
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
“NoResolveTrack” = (REG_DWORD) hex:0x00000001
{unrecognized setting}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
“NoResolveTrack” = (REG_DWORD) hex:0x00000001
{unrecognized setting}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
“undockwithoutlogon” = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
“Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp”
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
“Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp”
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
“SCRNSAVE.EXE” = “C:\WINDOWS\system32\logon.scr” [MS]
Startup items in “admin” & “All Users” startup folders:
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
“Adobe Reader Speed Launch” -> shortcut to: “E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 31
%SYSTEMROOT%\system32\nvappfilter.dll [“NVIDIA”], 06 - 08, 14
%SystemRoot%\system32\mswsock.dll [MS], 09 - 11, 15 - 30
%SystemRoot%\system32\rsvpsp.dll [MS], 12 - 13
Toolbars, Explorer Bars, Extensions:
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{77BF5300-1474-4EC7-9980-D32B190E9B07}\
“ButtonText” = “Skype”
“CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}”
-> {HKLM…CLSID} = “Skype add-on (button)”
\InProcServer32(Default) = “C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll” [“Skype Technologies S.A.”]
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
“MenuText” = “Spybot - Search & Destroy Configuration”
“CLSIDExtension” = “{53707962-6F74-2D53-2644-206D7942484F}”
-> {HKLM…CLSID} = “Spybot-S&D IE Protection”
\InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”]
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
“MenuText” = “@xpsp3res.dll ,-20001”
“Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
a-squared Free Service, a2free, ““C:\Program Files\a-squared Free\a2service.exe”” [“Emsi Software GmbH”]
Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”]
ATK Keyboard Service, ATKKeyboardService, “C:\WINDOWS\ATKKBService.exe” [“ASUSTeK COMPUTER INC.”]
ForceWare Intelligent Application Manager (IAM), ForceWare Intelligent Application Manager (IAM), “C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe” [empty string]
ForceWare IP service, nSvcIp, “C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe” [“NVIDIA Corporation”]
ForceWare user log service, nSvcLog, “C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe” [“NVIDIA Corporation”]
Forceware Web Interface, ForcewareWebInterface, ““C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe” -k runservice” [“Apache Software Foundation”]
LightScribeService Direct Disc Labeling Service, LightScribeService, ““C:\Program Files\Common Files\LightScribe\LSSrvc.exe”” [“Hewlett-Packard Company”]
lxcc_device, lxcc_device, “C:\WINDOWS\system32\lxcccoms.exe -service” [“Lexmark International, Inc.”]
NMIndexingService, NMIndexingService, ““C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe”” [“Nero AG”]
NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "]
Registry Management Service, RegManServ, “E:\Advanced Registry Doctor\RegManServ.exe” [null data]
Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS]
Print Monitors:
HKLM\System\CurrentControlSet\Control\Print\Monitors\
3300 Series Port\Driver = “lxcclmpm.DLL” [“Lexmark International, Inc.”]
Lexmark Print-2-Fax Port\Driver = “LXPRMON.DLL” [null data]
---------- (launch time: 2007-08-31 20:01:25)
<>: Suspicious data at a malware launch point.
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
The search for DESKTOP.INI DLL launch points on all local fixed drives
took 14 seconds.
---------- (total run time: 40 seconds)
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:03:58, on 2007-08-31 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\a-squared Free\a2service.exe C:\WINDOWS\ATKKBService.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe E:\Advanced Registry Doctor\RegManServ.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe E:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\system32\LVComS.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\WINDOWS\system32\lxcccoms.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM…\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM…\Run: [soundMAX] “C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” /tray O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [LogitechVideoRepair] E:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM…\Run: [LogitechVideoTray] E:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM…\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16 O4 - HKLM…\Run: [lxccmon.exe] “C:\Program Files\Lexmark 3300 Series\lxccmon.exe” O4 - HKLM…\Run: [FaxCenterServer] “C:\Program Files\Lexmark Fax Solutions\fm3032.exe” /s O4 - HKLM…\Run: [CnxDslTaskBar] “C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe” “ZTE Corporation\ZXDSL852” O4 - HKLM…\Run: [sunJavaUpdateSched] rem “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\RunOnce: [spybotDeletingA1847] command /c del “C:\Program Files\Internet Explorer\Setup\svchost.exe” O4 - HKLM…\RunOnce: [spybotDeletingC6568] cmd /c del “C:\Program Files\Internet Explorer\Setup\svchost.exe” O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\RunOnce: [spybotDeletingB7983] command /c del “C:\Program Files\Internet Explorer\Setup\svchost.exe” O4 - HKCU…\RunOnce: [spybotDeletingD2046] cmd /c del “C:\Program Files\Internet Explorer\Setup\svchost.exe” O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{D9EB72A0-A7BF-4296-A5F3-8A15469AF8A9}: NameServer = 194.204.159.1 217.98.63.164 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe O23 - Service: Registry Management Service (RegManServ) - Unknown owner - E:\Advanced Registry Doctor\RegManServ.exe – End of file - 8030 bytes pomóżcie proszę