Klopot z wirusem Win32:Horst–C [Trj]
Od kilku tygodni mam problem z wirusem Win32:Horst–C [Trj]
Nie wiem gdzie jest jego kopia.
Codziennie pojawia sie w tym samym katalogu.
Log z podgladu zdarzen
2006–05–03 11:08:07 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\46exmodul32.exe\[UPX]"" file. "
2006–05–02 20:43:56 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\99exmodul32.exe\[UPX]"" file. "
2006–05–02 19:48:41 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\65exmodul32.exe\[UPX]"" file. "
2006–05–02 18:07:19 avast! Informacje Client 90 Brak BOSKI–WIATR The virus database (VPS 0618–0) was automatically updated.
2006–05–02 10:16:27 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Mama\USTAWI~1\Temp\10exmodul32.exe\[UPX]"" file. "
2006–05–02 08:11:39 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Mama\USTAWI~1\Temp\69exmodul32.exe\[UPX]"" file. "
2006–05–01 22:28:08 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Mama\USTAWI~1\Temp\38exmodul32.exe\[UPX]"" file. "
2006–05–01 20:49:41 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Mama\USTAWI~1\Temp\63exmodul32.exe\[UPX]"" file. "
2006–05–01 18:57:30 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR An error has occured while attempting to update. Please check the logs.
2006–05–01 18:57:29 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
2006–05–01 18:13:44 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\95exmodul32.exe\[UPX]"" file. "
2006–04–30 23:36:11 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\49exmodul32.exe\[UPX]"" file. "
2006–04–30 22:52:29 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Trojano–CV [Trj]"" has been found in ""C:\Documents and Settings\Kamikaze\Ustawienia lokalne\Temp\install.exe\[NsPack]"" file. "
2006–04–30 22:52:20 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\Documents and Settings\Kamikaze\Ustawienia lokalne\Temp\5exmodul32.exe\[UPX]"" file. "
2006–04–30 11:08:32 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\83exmodul32.exe\[UPX]"" file. "
2006–04–30 09:51:25 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\84exmodul32.exe\[UPX]"" file. "
2006–04–30 06:05:02 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Mama\USTAWI~1\Temp\39exmodul32.exe\[UPX]"" file. "
2006–04–29 17:28:25 avast! Informacje Client 90 Brak BOSKI–WIATR The program was automatically updated.
2006–04–29 08:51:40 avast! Informacje Client 90 Brak BOSKI–WIATR VRDB (Virus Recovery Database) generation was successfully completed.
2006–04–29 06:49:57 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Mama\USTAWI~1\Temp\18exmodul32.exe\[UPX]"" file. "
2006–04–29 06:28:55 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\79exmodul32.exe\[UPX]"" file. "
2006–04–28 17:53:59 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\70exmodul32.exe\[UPX]"" file. "
2006–04–28 16:45:57 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\5exmodul32.exe\[UPX]"" file. "
2006–04–28 16:02:40 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\21exmodul32.exe\[UPX]"" file. "
Log z HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 11:14:28, on 2006–05–03
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\explorer.exe
d:\Programy\Alwil Software\Avast4\aswUpdSv.exe
d:\Programy\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Programy\Zone Labs\ZoneAlarm\zlclient.exe
D:\Programy\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Milo spam killer\Milo.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
d:\Programy\Alwil Software\Avast4\ashMaiSv.exe
d:\Programy\Alwil Software\Avast4\ashWebSv.exe
D:\Programy\Gadu–Gadu\gg.exe
C:\WINNT\system32\mmc.exe
C:\WINNT\system32\NOTEPAD.EXE
D:\Programy\Avant Browser\avant.exe
C:\totalcmd\TOTALCMD.EXE
D:\BAZA\Spy\HijackThis\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Program Microsoft Internet Explorer dostarczony przez Robsona
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=80.227.56.42:8080
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 – REG:system.ini: Shell=explorer.exe
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – D:\Programy\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: Microsoft Configuration – {40205287–E793–41AC–B95C–D8D064BA33CA} – C:\WINNT\system32\mscfg.dll
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – D:\Programy\SPYBOT~1\SDHelper.dll
O2 – BHO: Seekmo Search Assistant Helper – {5929CD6E–2062–44a4–B2C5–2C7E78FBAB38} – c:\program files\seekmo\seekmohook.dll (file missing)
O2 – BHO: SSVHelper Class – {761497BB–D6F0–462C–B6EB–D4DAF1D92D43} – C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 – Toolbar: PopUpCop – {DB43E4E6–FF8A–4018–8C8E–F68587A44A73} – C:\PROGRA~1\PopUpCop\PopUpCop.dll
O4 – HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 – HKLM\..\Run: [Zone Labs Client] d:\Programy\Zone Labs\ZoneAlarm\zlclient.exe
O4 – HKLM\..\Run: [avast!] d:\Programy\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [.nvsvc] C:\WINNT\system\smss.exe /w
O4 – HKLM\..\Run: [OPSE reminder] "D:\Programy\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" –r "D:\Programy\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 – HKCU\..\Run: [Milo spam killer] C:\Program Files\Milo spam killer\Milo.exe
O4 – HKCU\..\Run: [XPize Reloader] C:\WINNT\XPize\XPizeReloader.exe /S
O8 – Extra context menu item: Blokuj wszystkie obrazy z tego serwera – D:\Programy\Avant Browser\AddAllToADBlackList.htm
O8 – Extra context menu item: Dodaj do listy blokowanych reklam – D:\Programy\Avant Browser\AddToADBlackList.htm
O8 – Extra context menu item: Open Image in New Window – res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
O8 – Extra context menu item: Otwórz w nowym Avant Browser – D:\Programy\Avant Browser\OpenInNewBrowser.htm
O8 – Extra context menu item: Otwórz wszystkie adresy z tej strony... – D:\Programy\Avant Browser\OpenAllLinks.htm
O8 – Extra context menu item: Podświetl – D:\Programy\Avant Browser\Highlight.htm
O8 – Extra context menu item: Szukaj – D:\Programy\Avant Browser\Search.htm
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – d:\Programy\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: avast! Antivirus – Unknown owner – d:\Programy\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – d:\Programy\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – d:\Programy\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: LicCtrl Service (LicCtrlService) – Unknown owner – C:\WINNT\runservice.exe
O23 – Service: NVIDIA Display Driver Service (Omega 1.6177) (Q) (NVSvc) – NVIDIA Corporation – C:\WINNT\System32\nvsvc32.exe
O23 – Service: TrueVector Internet Monitor (vsmon) – Zone Labs, LLC – C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 – Service: Windows Log – Unknown owner – C:\WINNT\system32\nvsvcd.exe
Log z Silent Runners
"Silent Runners.vbs", revision 38, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Milo spam killer" = "C:\Program Files\Milo spam killer\Milo.exe" ["Bartłomiej Baron"]
"XPize Reloader" = "C:\WINNT\XPize\XPizeReloader.exe /S" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"Zone Labs Client" = "d:\Programy\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"avast!" = "d:\Programy\ALWILS~1\Avast4\ashDisp.exe" [null data]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
".nvsvc" = "C:\WINNT\system\smss.exe /w" [null data]
"OPSE reminder" = ""D:\Programy\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" –r "D:\Programy\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"" [file not found]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{8b15971b–5355–4c82–8c07–7e181ea07608}\(Default) = "Fax"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8–2d59–4f1b–883e–79663d2d9a8c}\(Default) = "Fax Provider"
\StubPath = "rundll32.exe C:\WINNT\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F–C8D7–4D59–B87D–784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "D:\Programy\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{40205287–E793–41AC–B95C–D8D064BA33CA}\(Default) = "Microsoft Configuration"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\mscfg.dll" ["TODO: "]
{53707962–6F74–2D53–2644–206D7942484F}\(Default) = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "D:\Programy\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5929CD6E–2062–44a4–B2C5–2C7E78FBAB38}\(Default) = "Seekmo Search Assistant Helper"
–> {CLSID}\InProcServer32\(Default) = "c:\program files\seekmo\seekmohook.dll" [file not found]
{761497BB–D6F0–462C–B6EB–D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "hticons.dll" [file not found]
"{5b4dae26–b807–11d0–9815–00c04fd91972}" = "Pasek menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{8278F931–2A3E–11d2–838F–00C04FD918D0}" = "Menu powłoki śledzenia"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{E13EF4E4–D2F2–11d0–9816–00C04FD91972}" = "Lokacja menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{ECD4FC4F–521C–11D0–B792–00A0C90312E1}" = "Pasek pulpitu menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{D82BE2B0–5764–11D0–A96E–00C04FD705A2}" = "IPasek folderów powłoki"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{0E5CBF21–D15F–11d0–8301–00AA005B4383}" = "&Łącza"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{7487cd30–f71a–11d0–9ea7–00805f714772}" = "Obraz miniatury"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{8BEBB290–52D0–11D0–B7F4–00C04FD706EC}" = "Miniatury"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\thumbvw.dll" [file not found]
"{1AEB1360–5AFC–11D0–B806–00C04FD706EC}" = "Rozpakowywacz miniatur filtrów graficznych Office"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\thumbvw.dll" [file not found]
"{450D8FBA–AD25–11D0–98A8–0800361B1103}" = "MyDocs Folder"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{EB47FF00–225E–11D2–9E1D–00A0C9AB0EEE}" = "eLicense Control"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\lcmmfu.cpl" [null data]
"{42042206–2D85–11D3–8CFF–005004838597}" = "Microsoft Office HTML Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{A70C977A–BF00–412C–90B7–034C51DA2439}" = "NvCpl DesktopContext Class"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{472083B0–C522–11CF–8763–00608CC02F24}" = "avast"
–> {CLSID}\InProcServer32\(Default) = "d:\Programy\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{FFB699E0–306A–11d3–8BD1–00104B6F7516}" = "Play on my TV helper"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949–8F65–4355–8456–263E7C208A5D}" = "Desktop Explorer"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A47}" = "Desktop Explorer Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A48}" = "nView Desktop Context Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{0006F045–0000–0000–C000–000000000046}" = "Microsoft Outlook Custom Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{e82a2d71–5b2f–43a0–97b8–81be15854de8}" = "ShellLink for Application References"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\dfshim.dll" [MS]
"{E37E2028–CE1A–4f42–AF05–6CEABC4E5D75}" = "Shell Icon Handler for Application References"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\dfshim.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! wzcnotif\DLLName = "wzcdlg.dll" [MS]
Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Kamikaze\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Enabled Scheduled Tasks:
––––––––––––––––––––––––
"komunikat" –> launches: "D:\komunikat.vbs" [null data]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05
Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––
Toolbars
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{DB43E4E6–FF8A–4018–8C8E–F68587A44A73}" = "PopUpCop"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\PopUpCop\PopUpCop.dll" ["EdenSoft (tm)"]
Miscellaneous IE Hijack Points
––––––––––––––––––––––––––––––
C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English–language version):
: [ V e r s i o n ]
: S i g n a t u r e = " $ C H I C A G O $ "
: A d v a n c e d I N F = 2 . 5 , " Y o u n e e d a n e w v e r s i o n o f a d v p a c k . d l l "
:
: [ R e s t o r e H o m e P a g e ]
: A d d R e g = R e s t o r e H o m e P a g e . r e g
:
: [ R e s t o r e B r o w s e r S e t t i n g s ]
: A d d R e g = R e s t o r e B r o w s e r S e t t i n g s . r e g
: D e l R e g = D e l e t e T e m p l a t e s . r e g , D e l e t e A u t o s e a r c h . r e g
:
: [ R e s t o r e H o m e P a g e . r e g ]
: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S t a r t P a g e " , 0 , % S T A R T _ P A G E _ U R L %
:
: [ R e s t o r e B r o w s e r S e t t i n g s . r e g ]
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ P a g e _ U R L " , 0 , % S T A R T _ P A G E _ U R L %
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ S e a r c h _ U R L " , 0 , % S E A R C H _ P A G E _ U R L %
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L %
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 1 " , 0 , " w w w . % s . c o m "
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 2 " , 0 , " w w w . % s . o r g "
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 3 " , 0 , " w w w . % s . n e t "
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 4 " , 0 , " w w w . % s . e d u "
: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L %
:
: ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 – a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t
: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ S e a r c h U r l " , " P r o v i d e r " , 0 , " "
:
: t m "
: t m "
: H K L M , " S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ I n t e r n e t S e t t i n g s \ S a f e S i t e s " , % S A F E S I T E _ V A L U E % , 0 , " h t t p : / / i e . s e a r c h . m s n . c o m / * "
:
: [ D e l e t e T e m p l a t e s . r e g ]
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 5 "
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 6 "
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 7 "
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 8 "
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 9 "
:
: [ D e l e t e A u t o s e a r c h . r e g ]
: ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 – a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t
: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " A u t o S e a r c h "
:
: [ S t r i n g s ]
: S T A R T _ P A G E _ U R L = h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e
: S E A R C H _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & a r = i e s e a r c h "
: S A F E S I T E _ V A L U E = " i e . s e a r c h . m s n . c o m "
:
: ; I M P O R T A N T N O T E :
: ; I E b r a n d i n g d l l ( i e d k c s 3 2 . d l l ) u s e s t h e f o l l o w i n g e n t r i e s t o r e s t o r e t h e d e f a u l t M S v a l u e s .
: ; I n t h e v a n i l l a v e r s i o n o f I E , t h e v a l u e s m u s t b e t h e s a m e a s t h e i r c o r r e s p o n d i n g n o n M S _ * v a l u e s .
: ; F o r e x a m p l e , S T A R T _ P A G E _ U R L a n d M S _ S T A R T _ P A G E _ U R L m u s t h a v e t h e s a m e U R L i n t h e I E v e r s i o n r e l e a s e d b y M S .
: M S _ S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e "
:
Missing lines (compared with English–language version):
[Version]: 2 lines
[RestoreHomePage]: 1 line
[RestoreHomePage.reg]: 1 line
[RestoreBrowserSettings.reg]: 12 lines
[DeleteTemplates.reg]: 5 lines
[DeleteAutosearch.reg]: 1 line
[Strings]: 1 line
[RestoreBrowserSettings]: 2 lines
[Strings]: 3 lines
Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
avast! Antivirus, avast! Antivirus, ""d:\Programy\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""d:\Programy\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""d:\Programy\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""d:\Programy\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
LicCtrl Service, LicCtrlService, "C:\WINNT\runservice.exe" [null data]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
NVIDIA Display Driver Service (Omega 1.6177) (Q), NVSvc, "C:\WINNT\System32\nvsvc32.exe" ["NVIDIA Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINNT\system32\ZoneLabs\vsmon.exe –service" ["Zone Labs, LLC"]
––––––––––
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
––––––––––
Nie wiem gdzie jest jego kopia.
Codziennie pojawia sie w tym samym katalogu.
Log z podgladu zdarzen
2006–05–03 11:08:07 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\46exmodul32.exe\[UPX]"" file. "
2006–05–02 20:43:56 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\99exmodul32.exe\[UPX]"" file. "
2006–05–02 19:48:41 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\65exmodul32.exe\[UPX]"" file. "
2006–05–02 18:07:19 avast! Informacje Client 90 Brak BOSKI–WIATR The virus database (VPS 0618–0) was automatically updated.
2006–05–02 10:16:27 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Mama\USTAWI~1\Temp\10exmodul32.exe\[UPX]"" file. "
2006–05–02 08:11:39 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Mama\USTAWI~1\Temp\69exmodul32.exe\[UPX]"" file. "
2006–05–01 22:28:08 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Mama\USTAWI~1\Temp\38exmodul32.exe\[UPX]"" file. "
2006–05–01 20:49:41 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Mama\USTAWI~1\Temp\63exmodul32.exe\[UPX]"" file. "
2006–05–01 18:57:30 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR An error has occured while attempting to update. Please check the logs.
2006–05–01 18:57:29 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
2006–05–01 18:13:44 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\95exmodul32.exe\[UPX]"" file. "
2006–04–30 23:36:11 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\49exmodul32.exe\[UPX]"" file. "
2006–04–30 22:52:29 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Trojano–CV [Trj]"" has been found in ""C:\Documents and Settings\Kamikaze\Ustawienia lokalne\Temp\install.exe\[NsPack]"" file. "
2006–04–30 22:52:20 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\Documents and Settings\Kamikaze\Ustawienia lokalne\Temp\5exmodul32.exe\[UPX]"" file. "
2006–04–30 11:08:32 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\83exmodul32.exe\[UPX]"" file. "
2006–04–30 09:51:25 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\84exmodul32.exe\[UPX]"" file. "
2006–04–30 06:05:02 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Mama\USTAWI~1\Temp\39exmodul32.exe\[UPX]"" file. "
2006–04–29 17:28:25 avast! Informacje Client 90 Brak BOSKI–WIATR The program was automatically updated.
2006–04–29 08:51:40 avast! Informacje Client 90 Brak BOSKI–WIATR VRDB (Virus Recovery Database) generation was successfully completed.
2006–04–29 06:49:57 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Mama\USTAWI~1\Temp\18exmodul32.exe\[UPX]"" file. "
2006–04–29 06:28:55 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\79exmodul32.exe\[UPX]"" file. "
2006–04–28 17:53:59 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\70exmodul32.exe\[UPX]"" file. "
2006–04–28 16:45:57 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\5exmodul32.exe\[UPX]"" file. "
2006–04–28 16:02:40 avast! Ostrzeźenie Client 90 Brak BOSKI–WIATR "Sign of ""Win32:Horst–C [Trj]"" has been found in ""C:\DOCUME~1\Kamikaze\USTAWI~1\Temp\21exmodul32.exe\[UPX]"" file. "
Log z HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 11:14:28, on 2006–05–03
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\explorer.exe
d:\Programy\Alwil Software\Avast4\aswUpdSv.exe
d:\Programy\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Programy\Zone Labs\ZoneAlarm\zlclient.exe
D:\Programy\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Milo spam killer\Milo.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
d:\Programy\Alwil Software\Avast4\ashMaiSv.exe
d:\Programy\Alwil Software\Avast4\ashWebSv.exe
D:\Programy\Gadu–Gadu\gg.exe
C:\WINNT\system32\mmc.exe
C:\WINNT\system32\NOTEPAD.EXE
D:\Programy\Avant Browser\avant.exe
C:\totalcmd\TOTALCMD.EXE
D:\BAZA\Spy\HijackThis\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Program Microsoft Internet Explorer dostarczony przez Robsona
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=80.227.56.42:8080
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 – REG:system.ini: Shell=explorer.exe
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – D:\Programy\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: Microsoft Configuration – {40205287–E793–41AC–B95C–D8D064BA33CA} – C:\WINNT\system32\mscfg.dll
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – D:\Programy\SPYBOT~1\SDHelper.dll
O2 – BHO: Seekmo Search Assistant Helper – {5929CD6E–2062–44a4–B2C5–2C7E78FBAB38} – c:\program files\seekmo\seekmohook.dll (file missing)
O2 – BHO: SSVHelper Class – {761497BB–D6F0–462C–B6EB–D4DAF1D92D43} – C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 – Toolbar: PopUpCop – {DB43E4E6–FF8A–4018–8C8E–F68587A44A73} – C:\PROGRA~1\PopUpCop\PopUpCop.dll
O4 – HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 – HKLM\..\Run: [Zone Labs Client] d:\Programy\Zone Labs\ZoneAlarm\zlclient.exe
O4 – HKLM\..\Run: [avast!] d:\Programy\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [.nvsvc] C:\WINNT\system\smss.exe /w
O4 – HKLM\..\Run: [OPSE reminder] "D:\Programy\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" –r "D:\Programy\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 – HKCU\..\Run: [Milo spam killer] C:\Program Files\Milo spam killer\Milo.exe
O4 – HKCU\..\Run: [XPize Reloader] C:\WINNT\XPize\XPizeReloader.exe /S
O8 – Extra context menu item: Blokuj wszystkie obrazy z tego serwera – D:\Programy\Avant Browser\AddAllToADBlackList.htm
O8 – Extra context menu item: Dodaj do listy blokowanych reklam – D:\Programy\Avant Browser\AddToADBlackList.htm
O8 – Extra context menu item: Open Image in New Window – res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
O8 – Extra context menu item: Otwórz w nowym Avant Browser – D:\Programy\Avant Browser\OpenInNewBrowser.htm
O8 – Extra context menu item: Otwórz wszystkie adresy z tej strony... – D:\Programy\Avant Browser\OpenAllLinks.htm
O8 – Extra context menu item: Podświetl – D:\Programy\Avant Browser\Highlight.htm
O8 – Extra context menu item: Szukaj – D:\Programy\Avant Browser\Search.htm
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – d:\Programy\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: avast! Antivirus – Unknown owner – d:\Programy\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – d:\Programy\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – d:\Programy\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: LicCtrl Service (LicCtrlService) – Unknown owner – C:\WINNT\runservice.exe
O23 – Service: NVIDIA Display Driver Service (Omega 1.6177) (Q) (NVSvc) – NVIDIA Corporation – C:\WINNT\System32\nvsvc32.exe
O23 – Service: TrueVector Internet Monitor (vsmon) – Zone Labs, LLC – C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 – Service: Windows Log – Unknown owner – C:\WINNT\system32\nvsvcd.exe
Log z Silent Runners
"Silent Runners.vbs", revision 38, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Milo spam killer" = "C:\Program Files\Milo spam killer\Milo.exe" ["Bartłomiej Baron"]
"XPize Reloader" = "C:\WINNT\XPize\XPizeReloader.exe /S" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"Zone Labs Client" = "d:\Programy\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"avast!" = "d:\Programy\ALWILS~1\Avast4\ashDisp.exe" [null data]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
".nvsvc" = "C:\WINNT\system\smss.exe /w" [null data]
"OPSE reminder" = ""D:\Programy\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" –r "D:\Programy\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"" [file not found]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{8b15971b–5355–4c82–8c07–7e181ea07608}\(Default) = "Fax"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8–2d59–4f1b–883e–79663d2d9a8c}\(Default) = "Fax Provider"
\StubPath = "rundll32.exe C:\WINNT\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F–C8D7–4D59–B87D–784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "D:\Programy\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{40205287–E793–41AC–B95C–D8D064BA33CA}\(Default) = "Microsoft Configuration"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\mscfg.dll" ["TODO: "]
{53707962–6F74–2D53–2644–206D7942484F}\(Default) = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "D:\Programy\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5929CD6E–2062–44a4–B2C5–2C7E78FBAB38}\(Default) = "Seekmo Search Assistant Helper"
–> {CLSID}\InProcServer32\(Default) = "c:\program files\seekmo\seekmohook.dll" [file not found]
{761497BB–D6F0–462C–B6EB–D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "hticons.dll" [file not found]
"{5b4dae26–b807–11d0–9815–00c04fd91972}" = "Pasek menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{8278F931–2A3E–11d2–838F–00C04FD918D0}" = "Menu powłoki śledzenia"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{E13EF4E4–D2F2–11d0–9816–00C04FD91972}" = "Lokacja menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{ECD4FC4F–521C–11D0–B792–00A0C90312E1}" = "Pasek pulpitu menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{D82BE2B0–5764–11D0–A96E–00C04FD705A2}" = "IPasek folderów powłoki"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{0E5CBF21–D15F–11d0–8301–00AA005B4383}" = "&Łącza"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{7487cd30–f71a–11d0–9ea7–00805f714772}" = "Obraz miniatury"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{8BEBB290–52D0–11D0–B7F4–00C04FD706EC}" = "Miniatury"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\thumbvw.dll" [file not found]
"{1AEB1360–5AFC–11D0–B806–00C04FD706EC}" = "Rozpakowywacz miniatur filtrów graficznych Office"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\thumbvw.dll" [file not found]
"{450D8FBA–AD25–11D0–98A8–0800361B1103}" = "MyDocs Folder"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{EB47FF00–225E–11D2–9E1D–00A0C9AB0EEE}" = "eLicense Control"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\lcmmfu.cpl" [null data]
"{42042206–2D85–11D3–8CFF–005004838597}" = "Microsoft Office HTML Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{A70C977A–BF00–412C–90B7–034C51DA2439}" = "NvCpl DesktopContext Class"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{472083B0–C522–11CF–8763–00608CC02F24}" = "avast"
–> {CLSID}\InProcServer32\(Default) = "d:\Programy\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{FFB699E0–306A–11d3–8BD1–00104B6F7516}" = "Play on my TV helper"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949–8F65–4355–8456–263E7C208A5D}" = "Desktop Explorer"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A47}" = "Desktop Explorer Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A48}" = "nView Desktop Context Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{0006F045–0000–0000–C000–000000000046}" = "Microsoft Outlook Custom Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{e82a2d71–5b2f–43a0–97b8–81be15854de8}" = "ShellLink for Application References"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\dfshim.dll" [MS]
"{E37E2028–CE1A–4f42–AF05–6CEABC4E5D75}" = "Shell Icon Handler for Application References"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\dfshim.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! wzcnotif\DLLName = "wzcdlg.dll" [MS]
Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Kamikaze\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Enabled Scheduled Tasks:
––––––––––––––––––––––––
"komunikat" –> launches: "D:\komunikat.vbs" [null data]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05
Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––
Toolbars
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{DB43E4E6–FF8A–4018–8C8E–F68587A44A73}" = "PopUpCop"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\PopUpCop\PopUpCop.dll" ["EdenSoft (tm)"]
Miscellaneous IE Hijack Points
––––––––––––––––––––––––––––––
C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English–language version):
: [ V e r s i o n ]
: S i g n a t u r e = " $ C H I C A G O $ "
: A d v a n c e d I N F = 2 . 5 , " Y o u n e e d a n e w v e r s i o n o f a d v p a c k . d l l "
:
: [ R e s t o r e H o m e P a g e ]
: A d d R e g = R e s t o r e H o m e P a g e . r e g
:
: [ R e s t o r e B r o w s e r S e t t i n g s ]
: A d d R e g = R e s t o r e B r o w s e r S e t t i n g s . r e g
: D e l R e g = D e l e t e T e m p l a t e s . r e g , D e l e t e A u t o s e a r c h . r e g
:
: [ R e s t o r e H o m e P a g e . r e g ]
: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S t a r t P a g e " , 0 , % S T A R T _ P A G E _ U R L %
:
: [ R e s t o r e B r o w s e r S e t t i n g s . r e g ]
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ P a g e _ U R L " , 0 , % S T A R T _ P A G E _ U R L %
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ S e a r c h _ U R L " , 0 , % S E A R C H _ P A G E _ U R L %
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L %
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 1 " , 0 , " w w w . % s . c o m "
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 2 " , 0 , " w w w . % s . o r g "
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 3 " , 0 , " w w w . % s . n e t "
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 4 " , 0 , " w w w . % s . e d u "
: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L %
:
: ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 – a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t
: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ S e a r c h U r l " , " P r o v i d e r " , 0 , " "
:
: t m "
: t m "
: H K L M , " S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ I n t e r n e t S e t t i n g s \ S a f e S i t e s " , % S A F E S I T E _ V A L U E % , 0 , " h t t p : / / i e . s e a r c h . m s n . c o m / * "
:
: [ D e l e t e T e m p l a t e s . r e g ]
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 5 "
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 6 "
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 7 "
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 8 "
: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 9 "
:
: [ D e l e t e A u t o s e a r c h . r e g ]
: ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 – a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t
: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " A u t o S e a r c h "
:
: [ S t r i n g s ]
: S T A R T _ P A G E _ U R L = h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e
: S E A R C H _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & a r = i e s e a r c h "
: S A F E S I T E _ V A L U E = " i e . s e a r c h . m s n . c o m "
:
: ; I M P O R T A N T N O T E :
: ; I E b r a n d i n g d l l ( i e d k c s 3 2 . d l l ) u s e s t h e f o l l o w i n g e n t r i e s t o r e s t o r e t h e d e f a u l t M S v a l u e s .
: ; I n t h e v a n i l l a v e r s i o n o f I E , t h e v a l u e s m u s t b e t h e s a m e a s t h e i r c o r r e s p o n d i n g n o n M S _ * v a l u e s .
: ; F o r e x a m p l e , S T A R T _ P A G E _ U R L a n d M S _ S T A R T _ P A G E _ U R L m u s t h a v e t h e s a m e U R L i n t h e I E v e r s i o n r e l e a s e d b y M S .
: M S _ S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e "
:
Missing lines (compared with English–language version):
[Version]: 2 lines
[RestoreHomePage]: 1 line
[RestoreHomePage.reg]: 1 line
[RestoreBrowserSettings.reg]: 12 lines
[DeleteTemplates.reg]: 5 lines
[DeleteAutosearch.reg]: 1 line
[Strings]: 1 line
[RestoreBrowserSettings]: 2 lines
[Strings]: 3 lines
Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
avast! Antivirus, avast! Antivirus, ""d:\Programy\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""d:\Programy\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""d:\Programy\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""d:\Programy\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
LicCtrl Service, LicCtrlService, "C:\WINNT\runservice.exe" [null data]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
NVIDIA Display Driver Service (Omega 1.6177) (Q), NVSvc, "C:\WINNT\System32\nvsvc32.exe" ["NVIDIA Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINNT\system32\ZoneLabs\vsmon.exe –service" ["Zone Labs, LLC"]
––––––––––
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
––––––––––
Odpowiedzi: 1
Tylko w HiJacku widac:
mscfg.dll
seekmohook.dll
C:\WINNT\system\smss.exe – systemowy jest w \system32
mscfg.dll
seekmohook.dll
C:\WINNT\system\smss.exe – systemowy jest w \system32
Strona 1 / 1