Wyskakujące okna iexplorer i blokada Kasperskiego


(Lukasz Gorecki) #1

Witam serdecznie,

mam problem ponieważ najwyrazniej zainfekowałem system jakimś wirusem. Objawy: wyskakujące okna iexplorer z dziwnymi stronami, próba łączenia z internetem kiedy jestem odłączony od sieci kilkanaście razy po właczniu wyskakuje okno:brak połaczenia -pracuj w trybie ofline lub próbój ponownie, oraz blokada autoaktualizacji programu antywirusowego Kasperski. Prosze o pomoc, skanowałem system wieloma programami każdy coś znalazł ale problem ciagle istnieje. Załaczam loga z hijackthis (mam nadzieję że prawidłowy gdzyż wysypuje mi sie program po wybraniu opcji skanowania i tworzenia loga)

Logfile of HijackThis v1.99.1

Scan saved at 12:48:54, on 2007-04-12

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)


Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\WLTRYSVC.EXE

C:\WINNT\System32\bcmwltry.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\tcpsvcs.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\ntvdm.exe

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\System32\igfxpers.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINNT\System32\WLTRAY.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

C:\WINNT\AGRSMMSG.exe

C:\Program Files\TOPRO\TPPOLL.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe

C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe

C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE

C:\WINNT\system32\internat.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\wincmd\WINCMD32.EXE

C:\Program Files\Opera\Opera.exe

C:\For All\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

F3 - REG:win.ini: load=c:\progra~1\YDPDict\watch.exe

O3 - Toolbar: @msdxmLC.dll,-1@1045,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3CD20~1\Bar888.dll (file missing)

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [igfxtray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINNT\System32\igfxpers.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINNT\System32\WLTRAY.exe

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\K-Lite Codec Pack\Real\mpclauncher.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [tppoll] C:\Program Files\TOPRO\TPPOLL.EXE

O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe

O4 - HKLM\..\Run: [DC6_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\dc6_startupmon.exe"

O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe"

O4 - HKLM\..\Run: [Internet Security Service] msq32.exe

O4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe" -run -n Workstation -v 5.0.0.0 -chkss

O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY

O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINNT\system32\kktambtn.dll",setvm

O4 - HKLM\..\RunServices: [Internet Security Service] msq32.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [Internet Security Service] msq32.exe

O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Wyślij do interfejsu &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D7A29E48-1665-46DF-AB43-BF716CC0F98D}: NameServer = 194.204.152.34,194.204.159.1

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe" -run bl -n Workstation -v 5.0.0.0 -ttsr 10000000 (file missing)

O23 - Service: end task (Taskend) - Unknown owner - C:\WINNT\Taskend.exe (file missing)

O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE

Z góry dziękuję.

Łukasz


(Hashi) #2

Ja tylko z drobną korektą:

Nie iexplorer (bo to nazwa wirusa) ale iexplore (przeglądarka). Niestety ja na logach się nie znam....


(adam9870) #3

Start => uruchom => wpisz cmd i kliknij OK => w konsoli, która się otworzy wpisz:

W dodaj/usuń programy odinstaluj WinAntiVirus Pro 2006

Pliki i foldery usuń ręcznie w trybie awaryjnym natomiast wpisy HijackThis.

Użyj VundoFix + FixVundo + VirtumundoBeGone. Wszystkie narzędzia należy uruchomić w trybie awaryjnym.

Po wykonaniu pokaż nowy log z hjt, SilentRunners + log z ComboFix. Aby zrobić w nim log należy go uruchomić => nacisnąć klawisz Y => czekać cierpliwie i log powinien być w formie pliku .txt o nazwie combofix na partycji C.


(Lukasz Gorecki) #4

Wykonałem poniższe instrukcje. Pliku "Taskend" nie mam na dysku a wpisu nie potrafię skasować. Załączam nowe logi zgodnie z poniższymi instrukcjami:

Logfile of HijackThis v1.99.1

Scan saved at 09:12:23, on 2007-04-13

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)


Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\WLTRYSVC.EXE

C:\WINNT\System32\bcmwltry.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\tcpsvcs.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\ntvdm.exe

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\System32\igfxpers.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINNT\System32\WLTRAY.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

C:\WINNT\AGRSMMSG.exe

C:\Program Files\TOPRO\TPPOLL.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe

C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe

C:\WINNT\system32\internat.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE

C:\Program Files\Opera\Opera.exe

C:\Program Files\wincmd\WINCMD32.EXE

C:\walka z wirusem\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

F3 - REG:win.ini: load=c:\progra~1\YDPDict\watch.exe

O2 - BHO: (no name) - {087CB711-52D1-722B-F2EE-76D5F825BBBD} - C:\WINNT\system32\bmhj.dll (file missing)

O2 - BHO: (no name) - {2FD419CB-8A1F-4AAA-A485-3529CFD8ECA0} - C:\WINNT\system32\gebcd.dll (file missing)

O2 - BHO: (no name) - {330429BF-30D2-48A9-8444-B33E0019F03F} - C:\WINNT\system32\ddcyw.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINNT\system32\txdrleok.dll

O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINNT\system32\oqvvkban.dll

O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3CD20~1\Bar888.dll (file missing)

O3 - Toolbar: @msdxmLC.dll,-1@1045,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [igfxtray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINNT\System32\igfxpers.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINNT\System32\WLTRAY.exe

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\K-Lite Codec Pack\Real\mpclauncher.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [tppoll] C:\Program Files\TOPRO\TPPOLL.EXE

O4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe" -run -n Workstation -v 5.0.0.0 -chkss

O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Wyślij do interfejsu &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D7A29E48-1665-46DF-AB43-BF716CC0F98D}: NameServer = 194.204.152.34,194.204.159.1

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe" -run bl -n Workstation -v 5.0.0.0 -ttsr 10000000 (file missing)

O23 - Service: end task (Taskend) - Unknown owner - C:\WINNT\Taskend.exe (file missing)

O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows 2000

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"internat.exe" = "internat.exe" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Synchronization Manager" = "mobsync.exe /logon" [MS]

"igfxtray" = "C:\WINNT\System32\igfxtray.exe" ["Intel Corporation"]

"igfxhkcmd" = "C:\WINNT\System32\hkcmd.exe" ["Intel Corporation"]

"igfxpers" = "C:\WINNT\System32\igfxpers.exe" ["Intel Corporation"]

"hpWirelessAssistant" = "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" ["Hewlett-Packard Development Company, L.P."]

"WatchDog" = "C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" ["InterVideo Inc."]

"Broadcom Wireless Manager UI" = "C:\WINNT\System32\WLTRAY.exe" ["Broadcom Corporation"]

"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]

"NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"CloneCDTray" = ""C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s" ["SlySoft, Inc."]

"VirtualCloneDrive" = ""C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s" ["Elaborate Bytes AG"]

"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]

"RealTray" = "C:\Program Files\K-Lite Codec Pack\Real\mpclauncher.exe SYSTEMBOOTHIDEPLAYER" [empty string]

"tppoll" = "C:\Program Files\TOPRO\TPPOLL.EXE" [null data]

"KAV50" = ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe" -run -n Workstation -v 5.0.0.0 -chkss" ["Kaspersky Lab"]

"Ashampoo FireWall" = ""C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{087CB711-52D1-722B-F2EE-76D5F825BBBD}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINNT\system32\bmhj.dll" [file not found]

{2FD419CB-8A1F-4AAA-A485-3529CFD8ECA0}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINNT\system32\gebcd.dll" [file not found]

{330429BF-30D2-48A9-8444-B33E0019F03F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINNT\system32\ddcyw.dll" [file not found]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

{57E218E6-5A80-4f0c-AB25-83598F25D7E9}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINNT\system32\txdrleok.dll" [null data]

{67C55A8D-E808-4caa-9EA7-F77102DE0BB6}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINNT\system32\oqvvkban.dll" [null data]

{C1B4DEC2-2623-438e-9CA2-C9043AB28508}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Bar888"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\{3CD20~1\Bar888.dll" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"

  -> {HKLM...CLSID} = "Moje miejsca interfejsu Bluetooth"

                   \InProcServer32\(Default) = "C:\WINNT\system32\btneighborhood.dll" ["Broadcom Corporation."]

"{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}" = "IZArc DragDrop Menu"

  -> {HKLM...CLSID} = "IZArc DragDrop Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]

"{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}" = "IZArc Shell Context Menu"

  -> {HKLM...CLSID} = "IZArc Shell Context Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]

"{B7056B8E-4F99-44f8-8CBD-282390FE5428}" = "VirtualCloneDrive"

  -> {HKLM...CLSID} = "VirtualCloneDrive Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\ElbyVCDShell.dll" ["Elaborate Bytes AG"]


HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\

<> "load" = "c:\progra~1\YDPDict\watch.exe" [null data]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"

  -> {HKLM...CLSID} = "IZArc Shell Context Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]

Kaspersky Anti-Virus\(Default) = "{DD230880-495A-11D1-B064-008048EC2FC5}"

  -> {HKLM...CLSID} = "ShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\ShellEx.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"

  -> {HKLM...CLSID} = "IZArc Shell Context Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus\(Default) = "{DD230880-495A-11D1-B064-008048EC2FC5}"

  -> {HKLM...CLSID} = "ShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\ShellEx.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINNT\Web\Wallpaper\Zaćmienie słońca.jpg"



Startup items in "Administrator" & "All Users" startup folders:

---------------------------------------------------------------


C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart

"Adobe Gamma Loader.exe" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"BTTray" -> shortcut to: "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe" ["Broadcom Corporation."]

"DVD Check" -> shortcut to: "C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" ["InterVideo Inc."]

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\Program Files\Ashampoo\Ashampoo FireWall\spi.dll [null data], 01 - 05, 18

%SystemRoot%\system32\msafd.dll [MS], 06 - 17, 19 - 21

%SystemRoot%\system32\rsvpsp.dll [MS], 22 - 23



Toolbars, Explorer Bars, Extensions:

------------------------------------


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{CCA281CA-C863-46EF-9331-5C8D4460577F}\

"ButtonText" = "@btrez.dll,-4015"

"MenuText" = "@btrez.dll,-4017"

"Script" = "C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data]



Miscellaneous IE Hijack Points

------------------------------


C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")


Missing lines (compared with English-language version):

[DeleteAutosearch.reg]: 1 line



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Bluetooth Service, btwdins, "C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation."]

Broadcom Wireless LAN Tray Service, wltrysvc, "C:\WINNT\System32\WLTRYSVC.EXE C:\WINNT\System32\bcmwltry.exe" [null data]

Kaspersky Anti-Virus Service, KLBLMain, ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe" -run bl -n Workstation -v 5.0.0.0 -ttsr 10000000" ["Kaspersky Lab"]

Odbiornik RIP, Iprip, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\iprip.dll" [MS]}

System zdarzeń COM+, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]}

Usługi Simple TCP/IP, SimpTcp, "C:\WINNT\system32\tcpsvcs.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Port drukarki interfejsu Bluetooth\Driver = "bthcrp.dll" ["Broadcom Corporation."]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 28 seconds, including 16 seconds for message boxes)

(Joan Sunshine) #5

Pobierz i uruchom narzędzie The Avenger Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz:

Klikasz Done , a następnie zielone światełko i zgadzasz się na restart klikając OK.

Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt

usun wpisy w hjt, daj nowe logi :slight_smile:


(Lukasz Gorecki) #6

Na początek Avenger:

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\fdfhdtay


*******************


Script file located at: \??\C:\Program Files\onhiihrn.txt

Script file opened successfully.


Script file read successfully


Backups directory opened successfully at C:\Avenger


*******************


Beginning to process script file:


Driver Taskend unloaded successfully.



File C:\WINNT\Taskend.exe not found!

Deletion of file C:\WINNT\Taskend.exe failed!


Could not process line:

C:\WINNT\Taskend.exe

Status: 0xc0000034




File C:\WINNT\system32\txdrleok.dll not found!

Deletion of file C:\WINNT\system32\txdrleok.dll failed!


Could not process line:

C:\WINNT\system32\txdrleok.dll

Status: 0xc0000034


File C:\WINNT\system32\rxqjfplu.dll deleted successfully.

File C:\WINNT\system32\oqvvkban.dll deleted successfully.

File C:\WINNT\system32\dcbeg.bak2 deleted successfully.

File C:\WINNT\system32\wintcc.exe deleted successfully.

File C:\WINNT\system32\svkp.sys deleted successfully.


Completed script processing.


*******************


Finished! Terminate.

Logfile of HijackThis v1.99.1

Scan saved at 14:22:58, on 2007-04-13

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)


Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\WLTRYSVC.EXE

C:\WINNT\System32\bcmwltry.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\tcpsvcs.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\System32\igfxpers.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINNT\System32\WLTRAY.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

C:\WINNT\AGRSMMSG.exe

C:\Program Files\TOPRO\TPPOLL.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe

C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe

C:\WINNT\system32\internat.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Opera\Opera.exe

C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE

C:\Program Files\wincmd\WINCMD32.EXE

C:\walka z wirusem\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

O3 - Toolbar: @msdxmLC.dll,-1@1045,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [igfxtray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINNT\System32\igfxpers.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINNT\System32\WLTRAY.exe

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\K-Lite Codec Pack\Real\mpclauncher.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [tppoll] C:\Program Files\TOPRO\TPPOLL.EXE

O4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe" -run -n Workstation -v 5.0.0.0 -chkss

O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Wyślij do interfejsu &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D7A29E48-1665-46DF-AB43-BF716CC0F98D}: NameServer = 194.204.152.34,194.204.159.1

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe" -run bl -n Workstation -v 5.0.0.0 -ttsr 10000000 (file missing)

O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows 2000

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"internat.exe" = "internat.exe" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Synchronization Manager" = "mobsync.exe /logon" [MS]

"igfxtray" = "C:\WINNT\System32\igfxtray.exe" ["Intel Corporation"]

"igfxhkcmd" = "C:\WINNT\System32\hkcmd.exe" ["Intel Corporation"]

"igfxpers" = "C:\WINNT\System32\igfxpers.exe" ["Intel Corporation"]

"hpWirelessAssistant" = "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" ["Hewlett-Packard Development Company, L.P."]

"WatchDog" = "C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" ["InterVideo Inc."]

"Broadcom Wireless Manager UI" = "C:\WINNT\System32\WLTRAY.exe" ["Broadcom Corporation"]

"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]

"NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"CloneCDTray" = ""C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s" ["SlySoft, Inc."]

"VirtualCloneDrive" = ""C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s" ["Elaborate Bytes AG"]

"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]

"RealTray" = "C:\Program Files\K-Lite Codec Pack\Real\mpclauncher.exe SYSTEMBOOTHIDEPLAYER" [empty string]

"tppoll" = "C:\Program Files\TOPRO\TPPOLL.EXE" [null data]

"KAV50" = ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe" -run -n Workstation -v 5.0.0.0 -chkss" ["Kaspersky Lab"]

"Ashampoo FireWall" = ""C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"

  -> {HKLM...CLSID} = "Moje miejsca interfejsu Bluetooth"

                   \InProcServer32\(Default) = "C:\WINNT\system32\btneighborhood.dll" ["Broadcom Corporation."]

"{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}" = "IZArc DragDrop Menu"

  -> {HKLM...CLSID} = "IZArc DragDrop Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]

"{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}" = "IZArc Shell Context Menu"

  -> {HKLM...CLSID} = "IZArc Shell Context Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]

"{B7056B8E-4F99-44f8-8CBD-282390FE5428}" = "VirtualCloneDrive"

  -> {HKLM...CLSID} = "VirtualCloneDrive Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\ElbyVCDShell.dll" ["Elaborate Bytes AG"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"

  -> {HKLM...CLSID} = "IZArc Shell Context Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]

Kaspersky Anti-Virus\(Default) = "{DD230880-495A-11D1-B064-008048EC2FC5}"

  -> {HKLM...CLSID} = "ShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\ShellEx.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"

  -> {HKLM...CLSID} = "IZArc Shell Context Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus\(Default) = "{DD230880-495A-11D1-B064-008048EC2FC5}"

  -> {HKLM...CLSID} = "ShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\ShellEx.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINNT\Web\Wallpaper\Zaćmienie słońca.jpg"



Startup items in "Administrator" & "All Users" startup folders:

---------------------------------------------------------------


C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart

"Adobe Gamma Loader.exe" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"BTTray" -> shortcut to: "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe" ["Broadcom Corporation."]

"DVD Check" -> shortcut to: "C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" ["InterVideo Inc."]

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\Program Files\Ashampoo\Ashampoo FireWall\spi.dll [null data], 01 - 05, 18

%SystemRoot%\system32\msafd.dll [MS], 06 - 17, 19 - 21

%SystemRoot%\system32\rsvpsp.dll [MS], 22 - 23



Toolbars, Explorer Bars, Extensions:

------------------------------------


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{CCA281CA-C863-46EF-9331-5C8D4460577F}\

"ButtonText" = "@btrez.dll,-4015"

"MenuText" = "@btrez.dll,-4017"

"Script" = "C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data]



Miscellaneous IE Hijack Points

------------------------------


C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")


Missing lines (compared with English-language version):

[DeleteAutosearch.reg]: 1 line



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Bluetooth Service, btwdins, "C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation."]

Broadcom Wireless LAN Tray Service, wltrysvc, "C:\WINNT\System32\WLTRYSVC.EXE C:\WINNT\System32\bcmwltry.exe" [null data]

Kaspersky Anti-Virus Service, KLBLMain, ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe" -run bl -n Workstation -v 5.0.0.0 -ttsr 10000000" ["Kaspersky Lab"]

System zdarzeń COM+, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]}

Usługi Simple TCP/IP, SimpTcp, "C:\WINNT\system32\tcpsvcs.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Port drukarki interfejsu Bluetooth\Driver = "bthcrp.dll" ["Broadcom Corporation."]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 18 seconds, including 5 seconds for message boxes)

"Administrator" - Pt 2007-04-13 14:24:06 Service Pack 4

ComboFix 07-04-05 - Running from: "C:\walka z wirusem"



((((((((((((((((((((((((((((((( Files Created from 2007-03-13 to 2007-04-13 ))))))))))))))))))))))))))))))))))



2007-04-13 14:23	16,384	--a----t-	C:\WINNT\system32\Perflib_Perfdata_34c.dat

2007-04-13 14:17	




Z góry dziękuję Lukasz 



[color=darkblue][size=75][i][b]Złączono Posta[/b]: 13.04.2007 (Pią) 13:36[/i][/size][/color]

Na początek Avenger:

[code]Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\fdfhdtay ******************* Script file located at: \??\C:\Program Files\onhiihrn.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Driver Taskend unloaded successfully. File C:\WINNT\Taskend.exe not found! Deletion of file C:\WINNT\Taskend.exe failed! Could not process line: C:\WINNT\Taskend.exe Status: 0xc0000034 File C:\WINNT\system32\txdrleok.dll not found! Deletion of file C:\WINNT\system32\txdrleok.dll failed! Could not process line: C:\WINNT\system32\txdrleok.dll Status: 0xc0000034 File C:\WINNT\system32\rxqjfplu.dll deleted successfully. File C:\WINNT\system32\oqvvkban.dll deleted successfully. File C:\WINNT\system32\dcbeg.bak2 deleted successfully. File C:\WINNT\system32\wintcc.exe deleted successfully. File C:\WINNT\system32\svkp.sys deleted successfully. Completed script processing. ******************* Finished! Terminate.

Logfile of HijackThis v1.99.1

Scan saved at 14:22:58, on 2007-04-13

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)


Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\WLTRYSVC.EXE

C:\WINNT\System32\bcmwltry.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\tcpsvcs.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\System32\igfxpers.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINNT\System32\WLTRAY.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

C:\WINNT\AGRSMMSG.exe

C:\Program Files\TOPRO\TPPOLL.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe

C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe

C:\WINNT\system32\internat.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Opera\Opera.exe

C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE

C:\Program Files\wincmd\WINCMD32.EXE

C:\walka z wirusem\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

O3 - Toolbar: @msdxmLC.dll,-1@1045,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [igfxtray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINNT\System32\igfxpers.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINNT\System32\WLTRAY.exe

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\K-Lite Codec Pack\Real\mpclauncher.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [tppoll] C:\Program Files\TOPRO\TPPOLL.EXE

O4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe" -run -n Workstation -v 5.0.0.0 -chkss

O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Wyślij do interfejsu &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D7A29E48-1665-46DF-AB43-BF716CC0F98D}: NameServer = 194.204.152.34,194.204.159.1

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe" -run bl -n Workstation -v 5.0.0.0 -ttsr 10000000 (file missing)

O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows 2000

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"internat.exe" = "internat.exe" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Synchronization Manager" = "mobsync.exe /logon" [MS]

"igfxtray" = "C:\WINNT\System32\igfxtray.exe" ["Intel Corporation"]

"igfxhkcmd" = "C:\WINNT\System32\hkcmd.exe" ["Intel Corporation"]

"igfxpers" = "C:\WINNT\System32\igfxpers.exe" ["Intel Corporation"]

"hpWirelessAssistant" = "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" ["Hewlett-Packard Development Company, L.P."]

"WatchDog" = "C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" ["InterVideo Inc."]

"Broadcom Wireless Manager UI" = "C:\WINNT\System32\WLTRAY.exe" ["Broadcom Corporation"]

"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]

"NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"CloneCDTray" = ""C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s" ["SlySoft, Inc."]

"VirtualCloneDrive" = ""C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s" ["Elaborate Bytes AG"]

"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]

"RealTray" = "C:\Program Files\K-Lite Codec Pack\Real\mpclauncher.exe SYSTEMBOOTHIDEPLAYER" [empty string]

"tppoll" = "C:\Program Files\TOPRO\TPPOLL.EXE" [null data]

"KAV50" = ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe" -run -n Workstation -v 5.0.0.0 -chkss" ["Kaspersky Lab"]

"Ashampoo FireWall" = ""C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"

  -> {HKLM...CLSID} = "Moje miejsca interfejsu Bluetooth"

                   \InProcServer32\(Default) = "C:\WINNT\system32\btneighborhood.dll" ["Broadcom Corporation."]

"{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}" = "IZArc DragDrop Menu"

  -> {HKLM...CLSID} = "IZArc DragDrop Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]

"{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}" = "IZArc Shell Context Menu"

  -> {HKLM...CLSID} = "IZArc Shell Context Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]

"{B7056B8E-4F99-44f8-8CBD-282390FE5428}" = "VirtualCloneDrive"

  -> {HKLM...CLSID} = "VirtualCloneDrive Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\ElbyVCDShell.dll" ["Elaborate Bytes AG"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"

  -> {HKLM...CLSID} = "IZArc Shell Context Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]

Kaspersky Anti-Virus\(Default) = "{DD230880-495A-11D1-B064-008048EC2FC5}"

  -> {HKLM...CLSID} = "ShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\ShellEx.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"

  -> {HKLM...CLSID} = "IZArc Shell Context Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus\(Default) = "{DD230880-495A-11D1-B064-008048EC2FC5}"

  -> {HKLM...CLSID} = "ShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\ShellEx.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINNT\Web\Wallpaper\Zaćmienie słońca.jpg"



Startup items in "Administrator" & "All Users" startup folders:

---------------------------------------------------------------


C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart

"Adobe Gamma Loader.exe" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"BTTray" -> shortcut to: "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe" ["Broadcom Corporation."]

"DVD Check" -> shortcut to: "C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" ["InterVideo Inc."]

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\Program Files\Ashampoo\Ashampoo FireWall\spi.dll [null data], 01 - 05, 18

%SystemRoot%\system32\msafd.dll [MS], 06 - 17, 19 - 21

%SystemRoot%\system32\rsvpsp.dll [MS], 22 - 23



Toolbars, Explorer Bars, Extensions:

------------------------------------


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{CCA281CA-C863-46EF-9331-5C8D4460577F}\

"ButtonText" = "@btrez.dll,-4015"

"MenuText" = "@btrez.dll,-4017"

"Script" = "C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data]



Miscellaneous IE Hijack Points

------------------------------


C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")


Missing lines (compared with English-language version):

[DeleteAutosearch.reg]: 1 line



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Bluetooth Service, btwdins, "C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation."]

Broadcom Wireless LAN Tray Service, wltrysvc, "C:\WINNT\System32\WLTRYSVC.EXE C:\WINNT\System32\bcmwltry.exe" [null data]

Kaspersky Anti-Virus Service, KLBLMain, ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe" -run bl -n Workstation -v 5.0.0.0 -ttsr 10000000" ["Kaspersky Lab"]

System zdarzeń COM+, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]}

Usługi Simple TCP/IP, SimpTcp, "C:\WINNT\system32\tcpsvcs.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Port drukarki interfejsu Bluetooth\Driver = "bthcrp.dll" ["Broadcom Corporation."]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 18 seconds, including 5 seconds for message boxes)

(Joan Sunshine) #7

już jest Ok


(Lukasz Gorecki) #8

Dziękuję bardzo za pomoc.

Pozdrawiam

Lukasz


(Joan Sunshine) #9

chwilkę, coś pominęłam.

to, co na czerwono, usuń ręcznie z dysku w awaryjnym o ile będzie.

co do wpisu z pytajnikami > poczytaj Usuwanie PurityScan

Otwórz notatnik i wklej w nim to:

Plik -> zapisz jako -> zmień rozszerzenie na wszystkie pliki -> zapisz pod nazwą FIX.REG

Odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa :slight_smile:

wklej jeszcze raz loga z combo. przepraszam Cię bardzo :oops:


(Lukasz Gorecki) #10

Tych plików nie było na dysku. A oto nowy log :

"Administrator" - Pn 2007-04-16 12:31:24 Service Pack 4

(adam9870) #11

Już jest Ok.

Czy masz jeszcze jakieś problemy ??


(Lukasz Gorecki) #12

Dzięki wielkie za pomoc. Narazie wszystko chodzi poprawnie.

Pozdrawiam

Lukasz